Red Hat
Monthly
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Storable versions before 3.05 for Perl has a stack overflow. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Integer overflow in Firefox's Audio/Video Playback component allows remote unauthenticated attackers to cause integrity violations through specially crafted multimedia content. The vulnerability stems from incorrect boundary condition handling in numeric calculations, potentially enabling attackers to modify playback state or corrupt audio/video streams without user interaction. Firefox 150 and later contain the fix.
Unauthenticated remote attackers can obtain sensitive information from Firefox's IP Protection component prior to version 150 via network-accessible requests with low attack complexity. The vulnerability leaks confidential data (CVSS:C=High) without requiring user interaction or special privileges, affecting all Firefox installations below version 150. Mozilla has released a vendor-confirmed patch in Firefox 150. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N).
Denial-of-service in Firefox versions prior to 150 allows remote attackers to crash the browser via malformed audio/video content during playback. The vulnerability requires no authentication and minimal attack complexity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), enabling attackers to render the browser unresponsive or terminated through crafted media files. Mozilla has released Firefox 150 to address this issue. EPSS data not available; no evidence of active exploitation (not in CISA KEV), though SSVC assessment notes the vulnerability is not currently being exploited and is classified as non-automatable with partial technical impact.
Denial-of-service in Firefox's Audio/Video playback component allows remote attackers to crash the browser via network-based exploitation requiring no authentication or user interaction. Mozilla patched the vulnerability in Firefox 150. CVSS 7.5 (High) reflects high availability impact, but SSVC assessment marks it as partial technical impact with no confirmed exploitation, indicating lower real-world priority than critical RCE vulnerabilities. No public exploit code or CISA KEV listing identified.
Mozilla Firefox JavaScript Engine contains an improper input validation flaw that permits remote, unauthenticated information disclosure to attackers without user interaction. The vulnerability (CWE-20: Improper Input Validation) affects all versions prior to Firefox 150 and allows attackers to access sensitive data via a network-based attack with low complexity. A vendor-released patch is available in Firefox 150.
Denial of service via null pointer dereference in Firefox's Audio/Video Playback component allows remote attackers to crash the browser without user interaction. The vulnerability affects Firefox versions prior to 150 and requires only a network connection to trigger, resulting in availability loss but not code execution or data compromise. No active exploitation has been confirmed at time of analysis.
Denial of service in Firefox DNS networking component allows unauthenticated remote attackers to cause partial availability impact through crafted network requests. The vulnerability, classified as a cross-site request forgery (CSRF) issue within DNS handling, affects Firefox versions prior to 150 and has been patched by Mozilla.
Buffer overflow in Firefox WebRTC networking component allows local attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. No public exploit identified at time of analysis. CVSS 7.8 reflects high severity but requires local access and user interaction, limiting remote attack surface. Mozilla has released patches in Firefox 150 and Firefox ESR 140.10.
Incorrect boundary conditions in Firefox's WebRTC component allow remote attackers to read limited memory contents without authentication. Firefox versions prior to 150 are affected by this low-confidentiality vulnerability, which CVSS rates at 5.3 due to network exploitability without user interaction, though CISA's SSVC framework indicates no current exploitation activity and limited technical impact.
Mitigation bypass in Firefox's DOM Security component allows authenticated remote attackers with user interaction to circumvent security controls and gain limited read/write access to sensitive data across security boundaries. Firefox 150 and later versions contain the fix; versions prior to 150 are vulnerable. SSVC assessment indicates no current public exploitation, though the vulnerability requires user interaction and authentication to trigger.
Integer overflow in Firefox's WebGPU graphics component enables remote denial-of-service attacks against default browser configurations. Attackers can trigger high availability impact via network-accessible exploitation without authentication or user interaction. Mozilla patched this in Firefox 150, with SSVC framework rating it automatable with partial technical impact despite CVSS 7.5 severity. No active exploitation confirmed and EPSS data not provided for risk quantification.
Information disclosure in Mozilla Firefox NSS Library component allows remote unauthenticated attackers to extract high-value confidential data via network-accessible boundary condition errors. Affects Firefox versions prior to 150, ESR 115.x prior to 115.35, and ESR 140.x prior to 140.10. SSVC framework classifies as automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC automation rating and CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicate straightforward exploitation potential once vulnerability details are published.
DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. The vulnerability bypasses critical browser security controls designed to protect the Document Object Model. SSVC assessment indicates the flaw is automatable with total technical impact, though no active exploitation has been confirmed at time of analysis. CVSS 9.8 critical rating reflects network-based attack with no complexity barriers.
Information disclosure in Firefox's IndexedDB storage component allows remote unauthenticated attackers to leak sensitive data through a network-accessible vulnerability with no user interaction required. Affected versions include Firefox prior to 150 and Firefox ESR prior to 140.10. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with confidentiality impact and limited availability risk.
Privilege escalation in Firefox's Debugger component allows remote attackers to gain elevated system privileges after user interaction with a malicious site. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. CVSS 8.8 severity with network attack vector and no authentication required. SSVC framework indicates no active exploitation detected and non-automatable attack pattern. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10 per Mozilla security advisories MFSA2026-30 through MFSA2026-34.
Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. Mozilla has released patches in security advisories MFSA2026-30 and MFSA2026-33. CISA SSVC framework classifies this as fully automatable with total technical impact, though no active exploitation is confirmed at time of analysis. CVSS 9.8 critical severity reflects the network attack vector with no authentication or user interaction required.
Confidentiality compromise in Firefox NSS Libraries allows remote unauthenticated attackers to leak sensitive information over the network without user interaction. The vulnerability affects Firefox 150 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier, and has been patched in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. No public exploit code or active exploitation has been identified at the time of analysis.
Remote information disclosure in Mozilla Network Security Services (NSS) library allows unauthenticated attackers to extract high-sensitivity data via network requests with no user interaction. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. The vulnerability stems from incorrect boundary condition handling (CWE-754) in NSS cryptographic libraries. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. SSVC framework classifies as automatable with partial technical impact, though no public exploit identified at time of analysis.
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
DOM spoofing in Firefox allows remote attackers to deceive users about webpage origin and integrity through rendering manipulation, requiring user interaction. Affects Firefox 149 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. EPSS score of 0.02% indicates low exploitation probability despite CVSS 6.3 rating, suggesting practical exploitation constraints despite network accessibility.
Remote attackers can escalate privileges in Firefox and Firefox ESR through a flaw in the Networking component when a user interacts with malicious content. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10, allowing attackers with no initial privileges to achieve high impact on confidentiality, integrity, and availability. Mozilla has released patches for both product lines. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV); public exploit code status unknown.
Authentication bypass in Firefox's cookie handling mechanism allows remote unauthenticated attackers to circumvent security controls and potentially execute arbitrary code or access protected resources. The vulnerability affects Firefox versions prior to 150 and has a critical CVSS score of 9.8 (network-exploitable, no authentication required, low complexity). Despite the severe CVSS rating, EPSS probability indicates only 0.02% likelihood of exploitation (4th percentile), suggesting limited real-world targeting. Mozilla has patched this in Firefox 150 per security advisories MFSA2026-30 and MFSA2026-33. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis.
Memory corruption in Firefox's Widget: Cocoa component on macOS enables remote denial of service through use-after-free exploitation. Mozilla patched this in Firefox 150 and Firefox ESR 140.10 after internal discovery. The CVSS vector indicates network-accessible exploitation requiring no authentication or user interaction, though SSVC assessment classifies technical impact as partial and exploitation as non-automatable. No public exploit identified at time of analysis, with SSVC indicating no evidence of active exploitation.
Use-after-free in Firefox's WebAssembly JavaScript engine enables remote denial-of-service attacks against users running unpatched versions below Firefox 150. The vulnerability allows network-based attackers to crash the browser without authentication or user interaction by triggering memory corruption in WebAssembly processing. Mozilla patched this in Firefox 150 (MFSA2026-30). EPSS data not available, not listed in CISA KEV, and SSVC framework rates exploitation as 'none' with non-automatable, partial technical impact-suggesting lower real-world risk despite CVSS 7.5 severity.
Invalid pointer handling in Firefox's JavaScript-WebAssembly component allows remote attackers to disclose information or cause limited memory corruption via a malicious webpage, requiring user interaction. The vulnerability affects Firefox versions prior to 150 and Firefox ESR prior to 140.10, with an EPSS score of 0.02% indicating minimal real-world exploitation probability despite moderate CVSS severity. Vendor-released patches are available in Firefox 150 and Firefox ESR 140.10.
A mitigation bypass in Firefox for Android allows remote attackers to achieve high-impact integrity violations without authentication or user interaction. Fixed in Firefox 150, this CWE-200 information disclosure flaw enables attackers to circumvent existing security controls via network-based vectors. Despite a CVSS base score of 7.5 (High), real-world exploitation risk appears limited: EPSS probability is only 0.02% (5th percentile), no public exploit code has been identified, and CISA SSVC framework rates it as non-exploited with partial technical impact, though automatable.
A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in `internal_dwa_compressor.h:1040` where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.
Signed integer overflow in OpenEXR 3.4.0-3.4.9 HTJ2K decompression allows remote attackers to cause denial of service via crafted EXR files with excessive FLOAT channels. The `ht_undo_impl()` function accumulates a bytes-per-line value in a 32-bit signed integer without overflow protection; on memory-permissive systems, the wrapped negative value enables heap out-of-bounds writes. OpenEXR 3.4.10 contains the fix. This is a distinct overflow from CVE-2026-34545 in the same function and mirrors the pattern of CVE-2026-34588.
OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.
Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated remote attackers to read arbitrary files from the conversion host when HTMLExporter.embed_images is enabled, by embedding malicious image references with path traversal sequences in a crafted notebook. A malicious actor can exfiltrate sensitive files as base64-encoded data URIs in the output HTML, achieving confidentiality breach with no integrity or availability impact. Vendor-released patch: version 7.17.1.
Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.
Buffer overflow in glibc's obsolete NIS authentication function allows remote attackers to compromise integrity and availability via spoofed UDP responses. Affects all glibc versions through 2.43, but exploitation requires the target application to actively use the deprecated nis_local_principal function (obsolete since glibc 2.26). EPSS score of 0.02% (5th percentile) indicates low real-world exploitation probability, consistent with the narrow attack surface of legacy NIS deployments. No active exploitation or public exploit code identified at time of analysis.
Local privilege escalation in python-dotenv before version 1.2.2 allows authenticated users to overwrite arbitrary files via symlink following in the set_key() and unset_key() functions when a cross-device rename fallback is triggered. An attacker with local access and the ability to write to the filesystem can create malicious symlinks that python-dotenv will follow during .env file rewriting, leading to unintended file modification or deletion. The vulnerability requires user interaction (the application must call set_key() or unset_key()) but affects any system using vulnerable versions of the library. No public exploit code or active exploitation has been reported at time of analysis.
pip before version 26.1 incorrectly treats concatenated tar and ZIP archives as ZIP files regardless of filename, potentially installing unintended package contents when ambiguous archive formats are processed. Local attackers with user interaction can exploit this during package installation to cause integrity confusion, where an archive's actual contents diverge from its declared format. The vulnerability requires local access and user interaction (downloading/installing a crafted archive), limiting real-world impact to supply-chain scenarios or direct social engineering of pip users.
Out-of-bounds read in the Linux kernel's X.509 certificate parser allows local unprivileged users to trigger memory corruption or denial of service by submitting a specially crafted certificate via the keyrings(7) API. The flaw exists in the handling of empty Basic Constraints or Key Usage extensions, where the first byte is dereferenced before the length check. A proof-of-concept was responsibly disclosed by the reporter, though no public exploit is identified at time of analysis and EPSS rates the exploitation probability as very low (0.01%).
Cross-cache slab free in the Linux kernel's socket buffer (SKB) subsystem allows a local authenticated attacker to trigger a kernel panic and denial of service on systems where KFENCE is enabled. When KFENCE intercepts a kzalloc() call whose requested size exactly matches SKB_SMALL_HEAD_CACHE_SIZE, the computed skb_end_offset misleads skb_kfree_head() into freeing the object to skb_small_head_cache instead of the originating kmalloc cache, corrupting slab allocator state. No public exploit is identified at time of analysis and EPSS is 0.02% (4th percentile), placing this firmly in the low-urgency tier absent a KFENCE-enabled production environment.
AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a USB-connected camera to trigger information disclosure or denial of service via malformed PTP protocol data during Samsung Galaxy device enumeration. The vulnerability exists in `ptp_unpack_OI()` which validates buffer boundaries at 48 bytes but subsequently reads up to 56 bytes, exceeding the boundary by 9 bytes. A fix is available in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows physical attackers to disclose sensitive memory and cause denial of service via a malicious PTP (Picture Transfer Protocol) device. The vulnerability exists in the Sony-specific DPD unpacking function, which fails to validate buffer boundaries before reading an enumeration count, enabling attackers with direct device access to craft responses that trigger the out-of-bounds read. Patch is available via upstream commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 in the PTP protocol parser allows information disclosure and potential denial of service when processing specially crafted camera responses. The vulnerability exists in ptp_unpack_DPV() where UINT128 and INT128 cases advance the buffer offset by 16 bytes without verifying sufficient buffer remains available, potentially exposing adjacent memory. Exploitation requires physical access to connect a malicious camera device (AV:P), but no special authentication or user interaction is needed once connected. No public exploit code identified at time of analysis.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive information from process memory or cause denial of service via malformed EOS event data. Two functions in ptp-pack.c lack length validation, enabling unbounded buffer reads when processing camera events. The vulnerability requires physical device access and is not remotely exploitable, with no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Missing lock check in AMD Platform Security Processor in AMD EPYC™ 9005 Series CPUs allows a privileged attacker to potentially impact guest confidentiality via local access.
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. ### Details Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. ### Impact An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. ### Mitigation Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
### Impact An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `attacker@evil.com@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid email address. The issue **ONLY** affects deployments that rely on `email_domain` restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected. ### Patches Users should upgrade to `v7.15.2` or later once available. ### Workarounds The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
### Summary Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. ### Details The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic. ### PoC ```golang package main import ( "bytes" "fmt" "github.com/gomarkdown/markdown/html" ) func main() { src := []byte("<a") fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src)) var buf bytes.Buffer sp := html.NewSmartypantsRenderer(html.Smartypants) sp.Process(&buf, src) // panics: slice bounds out of range fmt.Printf("Output: %q\n", buf.String()) } ``` ### Impact This vulnerability will lead to a Denial of Service / panic on the processing service. -- The Datadog Security Team
OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.
An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. ``` ==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38 WRITE of size 8 at 0xea2fb818 thread T0 ```
In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.
Varnish Enterprise before version 6.0.16r12 is vulnerable to a workspace overflow denial of service attack that crashes the daemon through the headerplus.write_req0() VCL function. Unauthenticated remote attackers can craft HTTP requests with excessive header fields to trigger a panic and terminate the Varnish server, particularly impacting deployments using shared VCL through Varnish Controller. CVSS base score of 4.0 reflects low availability impact with high attack complexity, and no public exploit code or confirmed active exploitation has been identified.
Denial of service via workspace overflow in Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows unauthenticated remote attackers to trigger daemon panic through HTTP/2 session upgrade with specific amounts of prefetched data. The vulnerability exploits improper buffer allocation during HTTP/1 to HTTP/2 transport upgrade, causing workspace exhaustion on subsequent pipelined fetch operations. EPSS score of 4.0 (low-to-medium risk) reflects attack complexity and limited scope (local availability impact only), though no public exploit code or active exploitation has been confirmed.
Integer underflow in libexif version 0.6.25 and earlier during Fuji and Olympus MakerNote decoding allows local attackers to crash applications or leak sensitive memory information. The vulnerability requires local access and specific user interaction (high complexity) but affects all applications linking libexif, creating a supply-chain exposure for image processing tools.
Integer overflow in libexif through 0.6.25 Nikon MakerNote handling allows local attackers on 32-bit systems to trigger crashes or read sensitive memory, requiring high attack complexity and no user interaction. This affects only 32-bit architectures due to the integer arithmetic involved; EPSS probability is low given the local-only attack vector and high complexity prerequisite, but patch availability is currently unconfirmed.
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.
Kubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authenticated low-privileged user retrieve SA tokens via an exposed NodeJS endpoint, then reuse them to reach Kubernetes resources beyond the dashboard's intended scope. Rated CVSS 9.9 with a changed scope, the flaw effectively converts limited dashboard access into broad cluster access. There is no public exploit identified at time of analysis and EPSS is very low (0.06%), but a vendor patch is already available via Red Hat errata.
Heap buffer overflow in HDF5 library versions 1.14.1-2 and earlier allows local attackers to trigger a write-based overflow in the H5T__ref_mem_setnull method by crafting malicious HDF5 files, leading to denial-of-service and potential remote code execution depending on heap exploitation complexity. Attack requires local file access and user interaction to parse a malicious file. No public exploit code identified at time of analysis.
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Integer overflow in the Linux kernel's USB gadget mass storage driver (f_mass_storage) allows a malicious USB host to corrupt kernel memory or trigger out-of-bounds accesses on any Linux system acting as a USB storage gadget. The flaw affects kernel versions tracing back to Linux 3.3 (commit 144974e7f9e32b53b02f6c8632be45d8f43d6ab5), with vendor-released patches now available across multiple stable branches. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a very low 0.02%, consistent with the physical USB access prerequisite.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Storable versions before 3.05 for Perl has a stack overflow. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Integer overflow in Firefox's Audio/Video Playback component allows remote unauthenticated attackers to cause integrity violations through specially crafted multimedia content. The vulnerability stems from incorrect boundary condition handling in numeric calculations, potentially enabling attackers to modify playback state or corrupt audio/video streams without user interaction. Firefox 150 and later contain the fix.
Unauthenticated remote attackers can obtain sensitive information from Firefox's IP Protection component prior to version 150 via network-accessible requests with low attack complexity. The vulnerability leaks confidential data (CVSS:C=High) without requiring user interaction or special privileges, affecting all Firefox installations below version 150. Mozilla has released a vendor-confirmed patch in Firefox 150. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N).
Denial-of-service in Firefox versions prior to 150 allows remote attackers to crash the browser via malformed audio/video content during playback. The vulnerability requires no authentication and minimal attack complexity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), enabling attackers to render the browser unresponsive or terminated through crafted media files. Mozilla has released Firefox 150 to address this issue. EPSS data not available; no evidence of active exploitation (not in CISA KEV), though SSVC assessment notes the vulnerability is not currently being exploited and is classified as non-automatable with partial technical impact.
Denial-of-service in Firefox's Audio/Video playback component allows remote attackers to crash the browser via network-based exploitation requiring no authentication or user interaction. Mozilla patched the vulnerability in Firefox 150. CVSS 7.5 (High) reflects high availability impact, but SSVC assessment marks it as partial technical impact with no confirmed exploitation, indicating lower real-world priority than critical RCE vulnerabilities. No public exploit code or CISA KEV listing identified.
Mozilla Firefox JavaScript Engine contains an improper input validation flaw that permits remote, unauthenticated information disclosure to attackers without user interaction. The vulnerability (CWE-20: Improper Input Validation) affects all versions prior to Firefox 150 and allows attackers to access sensitive data via a network-based attack with low complexity. A vendor-released patch is available in Firefox 150.
Denial of service via null pointer dereference in Firefox's Audio/Video Playback component allows remote attackers to crash the browser without user interaction. The vulnerability affects Firefox versions prior to 150 and requires only a network connection to trigger, resulting in availability loss but not code execution or data compromise. No active exploitation has been confirmed at time of analysis.
Denial of service in Firefox DNS networking component allows unauthenticated remote attackers to cause partial availability impact through crafted network requests. The vulnerability, classified as a cross-site request forgery (CSRF) issue within DNS handling, affects Firefox versions prior to 150 and has been patched by Mozilla.
Buffer overflow in Firefox WebRTC networking component allows local attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. No public exploit identified at time of analysis. CVSS 7.8 reflects high severity but requires local access and user interaction, limiting remote attack surface. Mozilla has released patches in Firefox 150 and Firefox ESR 140.10.
Incorrect boundary conditions in Firefox's WebRTC component allow remote attackers to read limited memory contents without authentication. Firefox versions prior to 150 are affected by this low-confidentiality vulnerability, which CVSS rates at 5.3 due to network exploitability without user interaction, though CISA's SSVC framework indicates no current exploitation activity and limited technical impact.
Mitigation bypass in Firefox's DOM Security component allows authenticated remote attackers with user interaction to circumvent security controls and gain limited read/write access to sensitive data across security boundaries. Firefox 150 and later versions contain the fix; versions prior to 150 are vulnerable. SSVC assessment indicates no current public exploitation, though the vulnerability requires user interaction and authentication to trigger.
Integer overflow in Firefox's WebGPU graphics component enables remote denial-of-service attacks against default browser configurations. Attackers can trigger high availability impact via network-accessible exploitation without authentication or user interaction. Mozilla patched this in Firefox 150, with SSVC framework rating it automatable with partial technical impact despite CVSS 7.5 severity. No active exploitation confirmed and EPSS data not provided for risk quantification.
Information disclosure in Mozilla Firefox NSS Library component allows remote unauthenticated attackers to extract high-value confidential data via network-accessible boundary condition errors. Affects Firefox versions prior to 150, ESR 115.x prior to 115.35, and ESR 140.x prior to 140.10. SSVC framework classifies as automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC automation rating and CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicate straightforward exploitation potential once vulnerability details are published.
DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. The vulnerability bypasses critical browser security controls designed to protect the Document Object Model. SSVC assessment indicates the flaw is automatable with total technical impact, though no active exploitation has been confirmed at time of analysis. CVSS 9.8 critical rating reflects network-based attack with no complexity barriers.
Information disclosure in Firefox's IndexedDB storage component allows remote unauthenticated attackers to leak sensitive data through a network-accessible vulnerability with no user interaction required. Affected versions include Firefox prior to 150 and Firefox ESR prior to 140.10. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with confidentiality impact and limited availability risk.
Privilege escalation in Firefox's Debugger component allows remote attackers to gain elevated system privileges after user interaction with a malicious site. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. CVSS 8.8 severity with network attack vector and no authentication required. SSVC framework indicates no active exploitation detected and non-automatable attack pattern. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10 per Mozilla security advisories MFSA2026-30 through MFSA2026-34.
Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. Mozilla has released patches in security advisories MFSA2026-30 and MFSA2026-33. CISA SSVC framework classifies this as fully automatable with total technical impact, though no active exploitation is confirmed at time of analysis. CVSS 9.8 critical severity reflects the network attack vector with no authentication or user interaction required.
Confidentiality compromise in Firefox NSS Libraries allows remote unauthenticated attackers to leak sensitive information over the network without user interaction. The vulnerability affects Firefox 150 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier, and has been patched in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. No public exploit code or active exploitation has been identified at the time of analysis.
Remote information disclosure in Mozilla Network Security Services (NSS) library allows unauthenticated attackers to extract high-sensitivity data via network requests with no user interaction. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. The vulnerability stems from incorrect boundary condition handling (CWE-754) in NSS cryptographic libraries. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. SSVC framework classifies as automatable with partial technical impact, though no public exploit identified at time of analysis.
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
DOM spoofing in Firefox allows remote attackers to deceive users about webpage origin and integrity through rendering manipulation, requiring user interaction. Affects Firefox 149 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. EPSS score of 0.02% indicates low exploitation probability despite CVSS 6.3 rating, suggesting practical exploitation constraints despite network accessibility.
Remote attackers can escalate privileges in Firefox and Firefox ESR through a flaw in the Networking component when a user interacts with malicious content. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10, allowing attackers with no initial privileges to achieve high impact on confidentiality, integrity, and availability. Mozilla has released patches for both product lines. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV); public exploit code status unknown.
Authentication bypass in Firefox's cookie handling mechanism allows remote unauthenticated attackers to circumvent security controls and potentially execute arbitrary code or access protected resources. The vulnerability affects Firefox versions prior to 150 and has a critical CVSS score of 9.8 (network-exploitable, no authentication required, low complexity). Despite the severe CVSS rating, EPSS probability indicates only 0.02% likelihood of exploitation (4th percentile), suggesting limited real-world targeting. Mozilla has patched this in Firefox 150 per security advisories MFSA2026-30 and MFSA2026-33. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis.
Memory corruption in Firefox's Widget: Cocoa component on macOS enables remote denial of service through use-after-free exploitation. Mozilla patched this in Firefox 150 and Firefox ESR 140.10 after internal discovery. The CVSS vector indicates network-accessible exploitation requiring no authentication or user interaction, though SSVC assessment classifies technical impact as partial and exploitation as non-automatable. No public exploit identified at time of analysis, with SSVC indicating no evidence of active exploitation.
Use-after-free in Firefox's WebAssembly JavaScript engine enables remote denial-of-service attacks against users running unpatched versions below Firefox 150. The vulnerability allows network-based attackers to crash the browser without authentication or user interaction by triggering memory corruption in WebAssembly processing. Mozilla patched this in Firefox 150 (MFSA2026-30). EPSS data not available, not listed in CISA KEV, and SSVC framework rates exploitation as 'none' with non-automatable, partial technical impact-suggesting lower real-world risk despite CVSS 7.5 severity.
Invalid pointer handling in Firefox's JavaScript-WebAssembly component allows remote attackers to disclose information or cause limited memory corruption via a malicious webpage, requiring user interaction. The vulnerability affects Firefox versions prior to 150 and Firefox ESR prior to 140.10, with an EPSS score of 0.02% indicating minimal real-world exploitation probability despite moderate CVSS severity. Vendor-released patches are available in Firefox 150 and Firefox ESR 140.10.
A mitigation bypass in Firefox for Android allows remote attackers to achieve high-impact integrity violations without authentication or user interaction. Fixed in Firefox 150, this CWE-200 information disclosure flaw enables attackers to circumvent existing security controls via network-based vectors. Despite a CVSS base score of 7.5 (High), real-world exploitation risk appears limited: EPSS probability is only 0.02% (5th percentile), no public exploit code has been identified, and CISA SSVC framework rates it as non-exploited with partial technical impact, though automatable.
A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in `internal_dwa_compressor.h:1040` where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.
Signed integer overflow in OpenEXR 3.4.0-3.4.9 HTJ2K decompression allows remote attackers to cause denial of service via crafted EXR files with excessive FLOAT channels. The `ht_undo_impl()` function accumulates a bytes-per-line value in a 32-bit signed integer without overflow protection; on memory-permissive systems, the wrapped negative value enables heap out-of-bounds writes. OpenEXR 3.4.10 contains the fix. This is a distinct overflow from CVE-2026-34545 in the same function and mirrors the pattern of CVE-2026-34588.
OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.
Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated remote attackers to read arbitrary files from the conversion host when HTMLExporter.embed_images is enabled, by embedding malicious image references with path traversal sequences in a crafted notebook. A malicious actor can exfiltrate sensitive files as base64-encoded data URIs in the output HTML, achieving confidentiality breach with no integrity or availability impact. Vendor-released patch: version 7.17.1.
Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.
Buffer overflow in glibc's obsolete NIS authentication function allows remote attackers to compromise integrity and availability via spoofed UDP responses. Affects all glibc versions through 2.43, but exploitation requires the target application to actively use the deprecated nis_local_principal function (obsolete since glibc 2.26). EPSS score of 0.02% (5th percentile) indicates low real-world exploitation probability, consistent with the narrow attack surface of legacy NIS deployments. No active exploitation or public exploit code identified at time of analysis.
Local privilege escalation in python-dotenv before version 1.2.2 allows authenticated users to overwrite arbitrary files via symlink following in the set_key() and unset_key() functions when a cross-device rename fallback is triggered. An attacker with local access and the ability to write to the filesystem can create malicious symlinks that python-dotenv will follow during .env file rewriting, leading to unintended file modification or deletion. The vulnerability requires user interaction (the application must call set_key() or unset_key()) but affects any system using vulnerable versions of the library. No public exploit code or active exploitation has been reported at time of analysis.
pip before version 26.1 incorrectly treats concatenated tar and ZIP archives as ZIP files regardless of filename, potentially installing unintended package contents when ambiguous archive formats are processed. Local attackers with user interaction can exploit this during package installation to cause integrity confusion, where an archive's actual contents diverge from its declared format. The vulnerability requires local access and user interaction (downloading/installing a crafted archive), limiting real-world impact to supply-chain scenarios or direct social engineering of pip users.
Out-of-bounds read in the Linux kernel's X.509 certificate parser allows local unprivileged users to trigger memory corruption or denial of service by submitting a specially crafted certificate via the keyrings(7) API. The flaw exists in the handling of empty Basic Constraints or Key Usage extensions, where the first byte is dereferenced before the length check. A proof-of-concept was responsibly disclosed by the reporter, though no public exploit is identified at time of analysis and EPSS rates the exploitation probability as very low (0.01%).
Cross-cache slab free in the Linux kernel's socket buffer (SKB) subsystem allows a local authenticated attacker to trigger a kernel panic and denial of service on systems where KFENCE is enabled. When KFENCE intercepts a kzalloc() call whose requested size exactly matches SKB_SMALL_HEAD_CACHE_SIZE, the computed skb_end_offset misleads skb_kfree_head() into freeing the object to skb_small_head_cache instead of the originating kmalloc cache, corrupting slab allocator state. No public exploit is identified at time of analysis and EPSS is 0.02% (4th percentile), placing this firmly in the low-urgency tier absent a KFENCE-enabled production environment.
AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a USB-connected camera to trigger information disclosure or denial of service via malformed PTP protocol data during Samsung Galaxy device enumeration. The vulnerability exists in `ptp_unpack_OI()` which validates buffer boundaries at 48 bytes but subsequently reads up to 56 bytes, exceeding the boundary by 9 bytes. A fix is available in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows physical attackers to disclose sensitive memory and cause denial of service via a malicious PTP (Picture Transfer Protocol) device. The vulnerability exists in the Sony-specific DPD unpacking function, which fails to validate buffer boundaries before reading an enumeration count, enabling attackers with direct device access to craft responses that trigger the out-of-bounds read. Patch is available via upstream commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 in the PTP protocol parser allows information disclosure and potential denial of service when processing specially crafted camera responses. The vulnerability exists in ptp_unpack_DPV() where UINT128 and INT128 cases advance the buffer offset by 16 bytes without verifying sufficient buffer remains available, potentially exposing adjacent memory. Exploitation requires physical access to connect a malicious camera device (AV:P), but no special authentication or user interaction is needed once connected. No public exploit code identified at time of analysis.
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive information from process memory or cause denial of service via malformed EOS event data. Two functions in ptp-pack.c lack length validation, enabling unbounded buffer reads when processing camera events. The vulnerability requires physical device access and is not remotely exploitable, with no public exploit code identified at time of analysis.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Missing lock check in AMD Platform Security Processor in AMD EPYC™ 9005 Series CPUs allows a privileged attacker to potentially impact guest confidentiality via local access.
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. ### Details Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. ### Impact An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. ### Mitigation Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
### Impact An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `attacker@evil.com@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid email address. The issue **ONLY** affects deployments that rely on `email_domain` restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected. ### Patches Users should upgrade to `v7.15.2` or later once available. ### Workarounds The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
### Summary Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. ### Details The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic. ### PoC ```golang package main import ( "bytes" "fmt" "github.com/gomarkdown/markdown/html" ) func main() { src := []byte("<a") fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src)) var buf bytes.Buffer sp := html.NewSmartypantsRenderer(html.Smartypants) sp.Process(&buf, src) // panics: slice bounds out of range fmt.Printf("Output: %q\n", buf.String()) } ``` ### Impact This vulnerability will lead to a Denial of Service / panic on the processing service. -- The Datadog Security Team
OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.
An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. ``` ==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38 WRITE of size 8 at 0xea2fb818 thread T0 ```
In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.
Varnish Enterprise before version 6.0.16r12 is vulnerable to a workspace overflow denial of service attack that crashes the daemon through the headerplus.write_req0() VCL function. Unauthenticated remote attackers can craft HTTP requests with excessive header fields to trigger a panic and terminate the Varnish server, particularly impacting deployments using shared VCL through Varnish Controller. CVSS base score of 4.0 reflects low availability impact with high attack complexity, and no public exploit code or confirmed active exploitation has been identified.
Denial of service via workspace overflow in Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows unauthenticated remote attackers to trigger daemon panic through HTTP/2 session upgrade with specific amounts of prefetched data. The vulnerability exploits improper buffer allocation during HTTP/1 to HTTP/2 transport upgrade, causing workspace exhaustion on subsequent pipelined fetch operations. EPSS score of 4.0 (low-to-medium risk) reflects attack complexity and limited scope (local availability impact only), though no public exploit code or active exploitation has been confirmed.
Integer underflow in libexif version 0.6.25 and earlier during Fuji and Olympus MakerNote decoding allows local attackers to crash applications or leak sensitive memory information. The vulnerability requires local access and specific user interaction (high complexity) but affects all applications linking libexif, creating a supply-chain exposure for image processing tools.
Integer overflow in libexif through 0.6.25 Nikon MakerNote handling allows local attackers on 32-bit systems to trigger crashes or read sensitive memory, requiring high attack complexity and no user interaction. This affects only 32-bit architectures due to the integer arithmetic involved; EPSS probability is low given the local-only attack vector and high complexity prerequisite, but patch availability is currently unconfirmed.
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.
Kubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authenticated low-privileged user retrieve SA tokens via an exposed NodeJS endpoint, then reuse them to reach Kubernetes resources beyond the dashboard's intended scope. Rated CVSS 9.9 with a changed scope, the flaw effectively converts limited dashboard access into broad cluster access. There is no public exploit identified at time of analysis and EPSS is very low (0.06%), but a vendor patch is already available via Red Hat errata.
Heap buffer overflow in HDF5 library versions 1.14.1-2 and earlier allows local attackers to trigger a write-based overflow in the H5T__ref_mem_setnull method by crafting malicious HDF5 files, leading to denial-of-service and potential remote code execution depending on heap exploitation complexity. Attack requires local file access and user interaction to parse a malicious file. No public exploit code identified at time of analysis.
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Integer overflow in the Linux kernel's USB gadget mass storage driver (f_mass_storage) allows a malicious USB host to corrupt kernel memory or trigger out-of-bounds accesses on any Linux system acting as a USB storage gadget. The flaw affects kernel versions tracing back to Linux 3.3 (commit 144974e7f9e32b53b02f6c8632be45d8f43d6ab5), with vendor-released patches now available across multiple stable branches. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a very low 0.02%, consistent with the physical USB access prerequisite.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.