Suse
Monthly
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.
BuildKit versions prior to 0.28.1 allow untrusted custom frontends to write arbitrary files outside the execution state directory through crafted API messages, enabling path traversal attacks. This affects users who specify custom frontends via #syntax directives or --build-arg BUILDKIT_SYNTAX parameters with untrusted images. The vulnerability carries a CVSS score of 8.4 with local attack vector requiring no privileges or user interaction, posing high risk to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.
This vulnerability in pypdf allows an attacker to craft a malicious PDF file that triggers an infinite loop when processed in non-strict mode, resulting in a denial of service condition. The affected product is pypdf (Python package available via pip), and the vulnerability has been patched in version 6.9.2. While no CVSS score or EPSS data is currently available, the vulnerability is classified as a denial of service issue stemming from improper loop handling (CWE-835: Infinite Loop).
SiYuan, a note-taking application written in Go, contains an unauthenticated directory traversal vulnerability in its /api/file/readDir endpoint. The vulnerability allows remote attackers without authentication to enumerate the entire directory structure of notebooks, configuration folders, plugins, and resource directories, which can be chained with file reading vulnerabilities for arbitrary document access. A working Python proof-of-concept exploit is publicly available, demonstrating recursive directory enumeration of data/ and conf/ directories.
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 lack proper rate limiting on login endpoints, allowing unauthenticated attackers to trigger denial of service through HTTP/2 single packet attacks delivering 100+ parallel login requests. This causes server crashes and forced restarts. While the CVSS score of 4.3 is moderate and requires low attack complexity over the network, the vulnerability enables complete service disruption without authentication.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
An authorization and state management flaw in Apple's WebKit browser engine allows maliciously crafted webpages to fingerprint users by exploiting improper state handling during web interactions. This vulnerability affects Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 across all Apple platforms. An attacker can exploit this by hosting a specially crafted webpage that leverages the state management weakness to extract browser or device identifiers without user knowledge, enabling user tracking and profiling attacks. No CVSS score, EPSS data, or public proof-of-concept details are currently available, though Apple has released fixes across all affected platforms.
This vulnerability allows attackers to bypass Content Security Policy (CSP) enforcement in Apple's WebKit engine through maliciously crafted web content, affecting Safari and all Apple platforms including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability stems from improper state management during web content processing, enabling attackers to circumvent a critical security control that prevents injection attacks and unauthorized script execution. While no CVSS score or EPSS data is currently available, the broad platform impact across Apple's entire ecosystem and the fundamental nature of CSP bypass as an information disclosure vector indicate significant real-world risk.
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.
NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.
NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.
NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.
NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.
NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.
A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.
A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.
PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.
An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.
A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.
Authenticated users can bypass regex-based input validation in command injection action scripts by injecting newline characters that exploit multiline mode anchors, allowing shell command execution. This vulnerability affects systems using administrator-configured validation patterns with ^ and $ anchors, enabling authenticated attackers to achieve arbitrary command execution. No patch is currently available.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the `/api/v1/file/content` API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended `config/` directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the `filename` query parameter with `../` sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.
Vikunja prior to version 2.2.1 contains an authorization bypass vulnerability in the DELETE /api/v1/projects/:project/shares/:share endpoint that fails to verify link share ownership. An attacker with administrative access to any project can delete link shares from arbitrary other projects by combining their own project ID with a target share ID, effectively allowing cross-project share manipulation. This is a privilege escalation and denial-of-service vector affecting self-hosted Vikunja deployments where multiple projects exist.
Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.
Vikunja, an open-source self-hosted task management platform, contains an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to access or delete attachments belonging to other users' tasks. The vulnerability affects all versions prior to 2.2.1, enabling attackers to enumerate and download attachments by combining their own valid task ID with sequential attachment IDs. With a CVSS score of 8.1 (High severity), this represents a significant confidentiality and integrity risk, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported.
Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.
Vikunja versions 0.18.0 through 2.2.0 contain an authentication bypass vulnerability where disabled or locked user accounts can continue accessing the system through alternative authentication mechanisms. The vulnerability affects the go-vikunja/vikunja product across all matching versions, allowing attackers with knowledge of valid but disabled account credentials to maintain API access, CalDAV synchronization, and OpenID Connect sessions despite administrative account lockdown. While no CVSS score or EPSS data is available from official sources, the vulnerability represents a critical authorization control failure (CWE-285) with high real-world impact in multi-tenant or regulated environments where account disabling is a primary access revocation mechanism.
NGINX Plus and NGINX Open Source contain an authentication bypass vulnerability in the ngx_stream_ssl_module where revoked certificates are incorrectly accepted during TLS handshakes despite OCSP checking. When ssl_verify_client and ssl_ocsp are both enabled, the module fails to properly enforce certificate revocation status, allowing clients with revoked certificates to establish connections. This affects both commercial NGINX Plus and open-source NGINX deployments with a CVSS score of 5.4 (Medium), representing a localized confidentiality and integrity impact requiring authenticated attackers.
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.
A boundary condition vulnerability exists in Firefox's Graphics Text component that allows information disclosure through incorrect memory handling during text rendering operations. This affects Firefox versions below 149 and Firefox ESR versions below 140.9, potentially enabling attackers to read sensitive data from adjacent memory regions. No active exploitation in the wild has been confirmed, but the vulnerability warrants prompt patching given its information disclosure impact.
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially leading to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this through WebRTC signaling interactions to disclose sensitive information, though specific exploitation details remain limited in public disclosures.
A spoofing vulnerability exists in Firefox's Privacy: Anti-Tracking component that allows attackers to deceive users or bypass security mechanisms through fraudulent representation. Firefox versions prior to 149 are affected. While specific exploit details are limited in available intelligence, the spoofing nature suggests attackers could impersonate legitimate content or services, potentially leading to credential theft, phishing success, or privacy compromise. No CVSS score, EPSS data, or confirmed KEV status is currently available, limiting real-time risk quantification.
Mozilla NSS Libraries contain a denial-of-service vulnerability affecting Firefox versions below 149 that allows unauthenticated remote attackers to crash affected systems without requiring user interaction. The flaw stems from improper resource handling and currently lacks an available patch. Given the high CVSS score of 7.5 and network-based attack vector, this poses significant availability risk to Mozilla Firefox users.
Firefox versions below 149 are vulnerable to a resource exhaustion attack through malformed XML processing that an unauthenticated attacker can trigger remotely without user interaction. This denial-of-service vulnerability allows attackers to crash affected Firefox instances or degrade performance. No patch is currently available for this vulnerability.
Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.
Mozilla Firefox versions below 149 and Firefox ESR below 140.9 contain memory safety flaws in the JavaScript Engine that enable remote code execution and denial of service attacks without user interaction or special privileges. An unauthenticated attacker can exploit improper boundary condition handling and uninitialized memory to achieve high-impact confidentiality violations and system availability disruption. No patch is currently available.
An uninitialized memory vulnerability exists in Firefox and Firefox ESR's Graphics Canvas2D component that can lead to information disclosure. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit this by crafting malicious Canvas2D operations to read uninitialized memory contents from the graphics rendering pipeline, potentially exposing sensitive data from the browser process.
An incorrect boundary condition vulnerability exists in the Audio/Video component of Mozilla Firefox and Firefox ESR, allowing potential information disclosure through improper memory handling. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker may exploit this vulnerability to leak sensitive information from the browser process memory by triggering specific audio or video processing operations, though active exploitation status is not confirmed at this time.
An incorrect boundary condition vulnerability exists in the Graphics component of Mozilla Firefox and Firefox ESR, allowing information disclosure through improper memory access. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker can exploit this vulnerability to read sensitive information from memory by triggering the boundary condition in graphics processing operations.
An information disclosure vulnerability exists in the Widget: Cocoa component of Mozilla Firefox and Firefox ESR, allowing attackers to access sensitive information through the affected rendering engine. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are vulnerable. The vulnerability permits unauthorized information leakage, though the specific attack mechanism and data exposure scope require analysis of the referenced Mozilla security advisories.
Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.
A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.
An incorrect boundary conditions vulnerability exists in Firefox and Firefox ESR's Audio/Video component that enables information disclosure attacks. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. Attackers can exploit improper boundary validation in audio/video processing to leak sensitive information from the browser process.
A boundary condition vulnerability exists in Firefox's Audio/Video GMP (Gecko Media Plugin) component that enables information disclosure to attackers. This flaw affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in media processing to disclose sensitive information from the affected browser process.
A boundary condition error in Firefox's Graphics component allows information disclosure through improper memory access validation. This vulnerability affects Firefox versions below 149 and Firefox ESR versions below 140.9, enabling attackers to read sensitive memory contents from the graphics processing context. While no CVSS score or EPSS data is currently available, the vulnerability is documented across multiple Mozilla security advisories indicating active awareness by the vendor.
A boundary condition vulnerability exists in Mozilla Firefox's Graphics Canvas2D component that enables information disclosure attacks. The vulnerability affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in Canvas2D operations to read sensitive data from memory, potentially disclosing user information or browser-internal data through a web-based attack vector.
This vulnerability involves incorrect boundary conditions in the Firefox Graphics Canvas2D component that can lead to information disclosure. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to access sensitive memory information through specially crafted Canvas2D operations, potentially exposing user data or system information.
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.
Mozilla Firefox versions prior to 149 and Firefox ESR prior to 140.9 are vulnerable to denial-of-service attacks through the WebRTC signaling component, which an unauthenticated remote attacker can exploit without user interaction to crash affected browsers. The vulnerability stems from improper resource handling and currently has no available patch, leaving users of affected versions at risk of service disruption.
An undefined behavior vulnerability exists in the Firefox Audio/Video component that could lead to information disclosure. This affects all Firefox versions prior to 149. While specific exploitation details are limited due to missing CVSS and CWE data, the vulnerability's classification as information disclosure suggests an attacker could potentially access sensitive audio or video processing data or bypass security boundaries within the multimedia subsystem.
Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.
A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.
Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.
Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.
A NULL pointer dereference vulnerability exists in tmate versions prior to 2.4.0, allowing unauthenticated remote attackers to cause a denial of service condition by crashing the application. The vulnerability has a CVSS score of 5.3 (medium severity) with low attack complexity and no privilege requirements, making it readily exploitable over the network. A patch is available from the vendor, and this issue does not compromise confidentiality or integrity-only availability.
A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers to achieve arbitrary code execution or cause denial of service through specially crafted compressed data. The vulnerability requires user interaction to trigger but has a network attack vector with no authentication needed. A patch is available and should be applied immediately to affected GDAL installations.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.
Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.
Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.
Freeciv21, an open-source turn-based strategy game, contains a stack overflow vulnerability that allows remote attackers to crash servers or client applications through specially-crafted network packets. All versions prior to 3.1.1 are affected, with exploitation requiring no authentication and leaving no useful logs by default. While there is no evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, Debian has issued security advisory DSA-6173-1 indicating distribution-level concern.
Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.
Rails Active Storage's DiskService#delete_prefixed method fails to escape glob metacharacters when passing blob keys to Dir.glob, allowing attackers to delete unintended files from the storage directory if blob keys contain attacker-controlled input or custom-generated keys with glob metacharacters. This affects Ruby on Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1, and while no CVSS score or EPSS data is currently available, the vulnerability represents a significant integrity and availability risk as it enables arbitrary file deletion on the server filesystem.
Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.
Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.
Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.
A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.
A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.
BuildKit versions prior to 0.28.1 allow untrusted custom frontends to write arbitrary files outside the execution state directory through crafted API messages, enabling path traversal attacks. This affects users who specify custom frontends via #syntax directives or --build-arg BUILDKIT_SYNTAX parameters with untrusted images. The vulnerability carries a CVSS score of 8.4 with local attack vector requiring no privileges or user interaction, posing high risk to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.
This vulnerability in pypdf allows an attacker to craft a malicious PDF file that triggers an infinite loop when processed in non-strict mode, resulting in a denial of service condition. The affected product is pypdf (Python package available via pip), and the vulnerability has been patched in version 6.9.2. While no CVSS score or EPSS data is currently available, the vulnerability is classified as a denial of service issue stemming from improper loop handling (CWE-835: Infinite Loop).
SiYuan, a note-taking application written in Go, contains an unauthenticated directory traversal vulnerability in its /api/file/readDir endpoint. The vulnerability allows remote attackers without authentication to enumerate the entire directory structure of notebooks, configuration folders, plugins, and resource directories, which can be chained with file reading vulnerabilities for arbitrary document access. A working Python proof-of-concept exploit is publicly available, demonstrating recursive directory enumeration of data/ and conf/ directories.
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 lack proper rate limiting on login endpoints, allowing unauthenticated attackers to trigger denial of service through HTTP/2 single packet attacks delivering 100+ parallel login requests. This causes server crashes and forced restarts. While the CVSS score of 4.3 is moderate and requires low attack complexity over the network, the vulnerability enables complete service disruption without authentication.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
An authorization and state management flaw in Apple's WebKit browser engine allows maliciously crafted webpages to fingerprint users by exploiting improper state handling during web interactions. This vulnerability affects Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 across all Apple platforms. An attacker can exploit this by hosting a specially crafted webpage that leverages the state management weakness to extract browser or device identifiers without user knowledge, enabling user tracking and profiling attacks. No CVSS score, EPSS data, or public proof-of-concept details are currently available, though Apple has released fixes across all affected platforms.
This vulnerability allows attackers to bypass Content Security Policy (CSP) enforcement in Apple's WebKit engine through maliciously crafted web content, affecting Safari and all Apple platforms including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability stems from improper state management during web content processing, enabling attackers to circumvent a critical security control that prevents injection attacks and unauthorized script execution. While no CVSS score or EPSS data is currently available, the broad platform impact across Apple's entire ecosystem and the fundamental nature of CSP bypass as an information disclosure vector indicate significant real-world risk.
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.
NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.
NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.
NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.
NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.
NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.
A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.
A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.
PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.
An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.
A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.
Authenticated users can bypass regex-based input validation in command injection action scripts by injecting newline characters that exploit multiline mode anchors, allowing shell command execution. This vulnerability affects systems using administrator-configured validation patterns with ^ and $ anchors, enabling authenticated attackers to achieve arbitrary command execution. No patch is currently available.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the `/api/v1/file/content` API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended `config/` directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the `filename` query parameter with `../` sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.
Vikunja prior to version 2.2.1 contains an authorization bypass vulnerability in the DELETE /api/v1/projects/:project/shares/:share endpoint that fails to verify link share ownership. An attacker with administrative access to any project can delete link shares from arbitrary other projects by combining their own project ID with a target share ID, effectively allowing cross-project share manipulation. This is a privilege escalation and denial-of-service vector affecting self-hosted Vikunja deployments where multiple projects exist.
Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.
Vikunja, an open-source self-hosted task management platform, contains an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to access or delete attachments belonging to other users' tasks. The vulnerability affects all versions prior to 2.2.1, enabling attackers to enumerate and download attachments by combining their own valid task ID with sequential attachment IDs. With a CVSS score of 8.1 (High severity), this represents a significant confidentiality and integrity risk, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported.
Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.
Vikunja versions 0.18.0 through 2.2.0 contain an authentication bypass vulnerability where disabled or locked user accounts can continue accessing the system through alternative authentication mechanisms. The vulnerability affects the go-vikunja/vikunja product across all matching versions, allowing attackers with knowledge of valid but disabled account credentials to maintain API access, CalDAV synchronization, and OpenID Connect sessions despite administrative account lockdown. While no CVSS score or EPSS data is available from official sources, the vulnerability represents a critical authorization control failure (CWE-285) with high real-world impact in multi-tenant or regulated environments where account disabling is a primary access revocation mechanism.
NGINX Plus and NGINX Open Source contain an authentication bypass vulnerability in the ngx_stream_ssl_module where revoked certificates are incorrectly accepted during TLS handshakes despite OCSP checking. When ssl_verify_client and ssl_ocsp are both enabled, the module fails to properly enforce certificate revocation status, allowing clients with revoked certificates to establish connections. This affects both commercial NGINX Plus and open-source NGINX deployments with a CVSS score of 5.4 (Medium), representing a localized confidentiality and integrity impact requiring authenticated attackers.
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.
A boundary condition vulnerability exists in Firefox's Graphics Text component that allows information disclosure through incorrect memory handling during text rendering operations. This affects Firefox versions below 149 and Firefox ESR versions below 140.9, potentially enabling attackers to read sensitive data from adjacent memory regions. No active exploitation in the wild has been confirmed, but the vulnerability warrants prompt patching given its information disclosure impact.
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially leading to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this through WebRTC signaling interactions to disclose sensitive information, though specific exploitation details remain limited in public disclosures.
A spoofing vulnerability exists in Firefox's Privacy: Anti-Tracking component that allows attackers to deceive users or bypass security mechanisms through fraudulent representation. Firefox versions prior to 149 are affected. While specific exploit details are limited in available intelligence, the spoofing nature suggests attackers could impersonate legitimate content or services, potentially leading to credential theft, phishing success, or privacy compromise. No CVSS score, EPSS data, or confirmed KEV status is currently available, limiting real-time risk quantification.
Mozilla NSS Libraries contain a denial-of-service vulnerability affecting Firefox versions below 149 that allows unauthenticated remote attackers to crash affected systems without requiring user interaction. The flaw stems from improper resource handling and currently lacks an available patch. Given the high CVSS score of 7.5 and network-based attack vector, this poses significant availability risk to Mozilla Firefox users.
Firefox versions below 149 are vulnerable to a resource exhaustion attack through malformed XML processing that an unauthenticated attacker can trigger remotely without user interaction. This denial-of-service vulnerability allows attackers to crash affected Firefox instances or degrade performance. No patch is currently available for this vulnerability.
Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.
Mozilla Firefox versions below 149 and Firefox ESR below 140.9 contain memory safety flaws in the JavaScript Engine that enable remote code execution and denial of service attacks without user interaction or special privileges. An unauthenticated attacker can exploit improper boundary condition handling and uninitialized memory to achieve high-impact confidentiality violations and system availability disruption. No patch is currently available.
An uninitialized memory vulnerability exists in Firefox and Firefox ESR's Graphics Canvas2D component that can lead to information disclosure. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit this by crafting malicious Canvas2D operations to read uninitialized memory contents from the graphics rendering pipeline, potentially exposing sensitive data from the browser process.
An incorrect boundary condition vulnerability exists in the Audio/Video component of Mozilla Firefox and Firefox ESR, allowing potential information disclosure through improper memory handling. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker may exploit this vulnerability to leak sensitive information from the browser process memory by triggering specific audio or video processing operations, though active exploitation status is not confirmed at this time.
An incorrect boundary condition vulnerability exists in the Graphics component of Mozilla Firefox and Firefox ESR, allowing information disclosure through improper memory access. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker can exploit this vulnerability to read sensitive information from memory by triggering the boundary condition in graphics processing operations.
An information disclosure vulnerability exists in the Widget: Cocoa component of Mozilla Firefox and Firefox ESR, allowing attackers to access sensitive information through the affected rendering engine. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are vulnerable. The vulnerability permits unauthorized information leakage, though the specific attack mechanism and data exposure scope require analysis of the referenced Mozilla security advisories.
Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.
A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.
An incorrect boundary conditions vulnerability exists in Firefox and Firefox ESR's Audio/Video component that enables information disclosure attacks. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. Attackers can exploit improper boundary validation in audio/video processing to leak sensitive information from the browser process.
A boundary condition vulnerability exists in Firefox's Audio/Video GMP (Gecko Media Plugin) component that enables information disclosure to attackers. This flaw affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in media processing to disclose sensitive information from the affected browser process.
A boundary condition error in Firefox's Graphics component allows information disclosure through improper memory access validation. This vulnerability affects Firefox versions below 149 and Firefox ESR versions below 140.9, enabling attackers to read sensitive memory contents from the graphics processing context. While no CVSS score or EPSS data is currently available, the vulnerability is documented across multiple Mozilla security advisories indicating active awareness by the vendor.
A boundary condition vulnerability exists in Mozilla Firefox's Graphics Canvas2D component that enables information disclosure attacks. The vulnerability affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in Canvas2D operations to read sensitive data from memory, potentially disclosing user information or browser-internal data through a web-based attack vector.
This vulnerability involves incorrect boundary conditions in the Firefox Graphics Canvas2D component that can lead to information disclosure. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to access sensitive memory information through specially crafted Canvas2D operations, potentially exposing user data or system information.
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.
Mozilla Firefox versions prior to 149 and Firefox ESR prior to 140.9 are vulnerable to denial-of-service attacks through the WebRTC signaling component, which an unauthenticated remote attacker can exploit without user interaction to crash affected browsers. The vulnerability stems from improper resource handling and currently has no available patch, leaving users of affected versions at risk of service disruption.
An undefined behavior vulnerability exists in the Firefox Audio/Video component that could lead to information disclosure. This affects all Firefox versions prior to 149. While specific exploitation details are limited due to missing CVSS and CWE data, the vulnerability's classification as information disclosure suggests an attacker could potentially access sensitive audio or video processing data or bypass security boundaries within the multimedia subsystem.
Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.
A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.
Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.
Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.
A NULL pointer dereference vulnerability exists in tmate versions prior to 2.4.0, allowing unauthenticated remote attackers to cause a denial of service condition by crashing the application. The vulnerability has a CVSS score of 5.3 (medium severity) with low attack complexity and no privilege requirements, making it readily exploitable over the network. A patch is available from the vendor, and this issue does not compromise confidentiality or integrity-only availability.
A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers to achieve arbitrary code execution or cause denial of service through specially crafted compressed data. The vulnerability requires user interaction to trigger but has a network attack vector with no authentication needed. A patch is available and should be applied immediately to affected GDAL installations.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.
Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.
Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.
Freeciv21, an open-source turn-based strategy game, contains a stack overflow vulnerability that allows remote attackers to crash servers or client applications through specially-crafted network packets. All versions prior to 3.1.1 are affected, with exploitation requiring no authentication and leaving no useful logs by default. While there is no evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, Debian has issued security advisory DSA-6173-1 indicating distribution-level concern.
Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.
Rails Active Storage's DiskService#delete_prefixed method fails to escape glob metacharacters when passing blob keys to Dir.glob, allowing attackers to delete unintended files from the storage directory if blob keys contain attacker-controlled input or custom-generated keys with glob metacharacters. This affects Ruby on Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1, and while no CVSS score or EPSS data is currently available, the vulnerability represents a significant integrity and availability risk as it enables arbitrary file deletion on the server filesystem.
Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.
Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.
Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.
A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.
A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.