Windows
Monthly
A flaw has been found in Artifex MuPDF versions up to 1.26.1 is affected by untrusted search path (CVSS 7.0).
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers without signature verification, allowing network attackers to perform man-in-the-middle attacks and inject malicious code. An attacker with any valid TLS certificate can intercept update requests and redirect users to a malicious installer, achieving arbitrary code execution on Windows systems. Public exploit code exists for this vulnerability and no patch is currently available.
PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserialization of the $type property in JSON files within Flow or App packages. A local attacker with user interaction can exploit this vulnerability to achieve full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions.
SumatraPDF versions 3.5.2 and earlier are vulnerable to a heap buffer over-read in the MOBI file parser due to incomplete bounds validation in the HuffDic decompressor, allowing attackers to crash the application by opening a malicious .mobi file. Public exploit code exists for this vulnerability. Local user interaction is required to trigger the vulnerability, and while denial of service is the primary impact, the out-of-bounds read could potentially leak sensitive memory contents.
SumatraPDF 3.5.2 and earlier on Windows allows arbitrary code execution when a user opens a PDF and selects "Show in folder," as the application executes a malicious explorer.exe binary from the same directory without warning. Public exploit code exists for this vulnerability, which affects any user who opens untrusted PDFs and interacts with the file menu option. An attacker can achieve code execution with the privileges of the victim's user account through a simple social engineering attack.
Dell Display and Peripheral Manager before version 2.2 on Windows contains an insecure link resolution flaw that allows local attackers with low privileges to escalate their access through the installer or service. An authenticated user can exploit improper symlink handling to gain elevated permissions on the system. No patch is currently available for this vulnerability.
Windows services registered by Oki Electric Industry, Ricoh, and Murata Machinery products use unquoted file paths, allowing a local user with write access to the system drive root to achieve arbitrary code execution with SYSTEM privileges. This vulnerability requires elevated permissions and local access to exploit, making it primarily a privilege escalation risk in multi-user environments. No patch is currently available for affected products.
SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. [CVSS 6.2 MEDIUM]
Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.
Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.
Improper access control in TeamViewer clients (Windows, macOS, Linux) before version 15.74.5 permits authenticated remote users to circumvent confirmation-based access restrictions during active sessions. An attacker with valid remote session credentials can gain unauthorized access without triggering the expected local confirmation prompt, requiring only prior authentication via ID/password, session link, or Easy Access.
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (...
multiple Windows services contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. [CVSS 7.8 HIGH]
Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. [CVSS 7.8 HIGH]
A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated [CVSS 3.3 LOW]
Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. [CVSS 6.7 MEDIUM]
Pc Helpsoft Driver Updater versions up to 9.1.57803.1174 is affected by improper access control (CVSS 7.8).
Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables (CVSS 7.8).
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7.
DeepMgmtService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. [CVSS 8.4 HIGH]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 5.3).
Db2 contains a vulnerability that allows attackers to cause a denial of service due to insufficient validation of special elements in (CVSS 6.5).
Db2 contains a vulnerability that allows attackers to cause a denial of service due to improper neutralization of special elements in (CVSS 6.5).
Db2 contains a vulnerability that allows attackers to a local user to cause a denial of service due to improper neutralization of spec (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to a local user with filesystem access to escalate their privileges due to the use (CVSS 8.4).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. [CVSS 6.8 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. [CVSS 6.2 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. [CVSS 7.2 HIGH]
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. [CVSS 6.2 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to excessive use of a glo (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. [CVSS 6.5 MEDIUM]
its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code contains a security vulnerability (CVSS 7.8).
Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls.
Local Admin Service versions up to 1.2.7.23180 is affected by execution with unnecessary privileges (CVSS 7.8).
Icinga PowerShell Framework versions prior to 1.13.4, 1.12.4, and 1.11.2 expose private certificate keys due to overly permissive directory permissions that allow all local users read access to the certificate folder. A local attacker with user-level privileges can retrieve these private keys to impersonate the Icinga service or intercept monitoring communications. No patch is currently available; manual ACL restrictions on the certificate directory are required as a temporary mitigation.
Icinga 2 on Windows versions 2.3.0 through 2.15.1 fail to properly restrict file permissions on the `%ProgramData%\icinga2\var` directory, allowing any local user to read sensitive data including private keys and synchronized configurations. All Windows installations are affected, and attackers with local access can extract cryptographic material and configuration details for lateral movement or further compromise. Patches are available in versions 2.13.14, 2.14.8, and 2.15.2, with workarounds available through updated Icinga for Windows packages or manual ACL remediation.
Stack buffer overflow in Free MP3 CD Ripper 2.8 allows remote code execution via crafted WAV files. PoC available.
Log timestamp tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject malicious UDP Sync commands that corrupt event timestamps, undermining log integrity and forensic investigation capabilities. This input validation flaw affects Windows deployments of the NomadBranch service and could enable attackers to obscure the timeline of malicious activities or create misleading audit trails. No patch is currently available for this medium-severity vulnerability.
TeamViewer DEX Client versions before 26.1 contain an out-of-bounds read in the Content Distribution Service that enables remote attackers to leak stack memory and trigger denial of service without authentication. Successful exploitation could disclose memory contents useful for bypassing address space layout randomization and chaining with other vulnerabilities. No patch is currently available for this medium-severity flaw affecting Windows deployments.
Information disclosure and denial-of-service in TeamViewer DEX Client versions before 26.1 allows adjacent network attackers to trigger an out-of-bounds read via specially crafted packets, potentially leaking sensitive memory that could be leveraged to bypass ASLR protections. Affected Windows systems running the NomadBranch.exe content distribution service are vulnerable to attacks requiring only network proximity, with no authentication or user interaction needed.
Denial-of-service in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to crash the NomadBranch.exe service by sending specially crafted UDP packets that trigger a heap buffer overflow. The vulnerability stems from an integer underflow in the UDP command handler that can be exploited without authentication or user interaction. Currently, no patch is available and the attack requires network adjacency to the affected system.
Log tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject, modify, or forge entries in the NomadBranch.log file through the UDP network handler, compromising log integrity and audit trail reliability. An attacker with network access can send crafted packets to the Content Distribution Service to manipulate logging records without authentication, potentially obscuring malicious activity or creating false audit entries.
TeamViewer DEX Client versions prior to 26.1 contain a null pointer dereference in the NomadBranch.exe Content Distribution Service that allows adjacent network attackers to crash the process without authentication. An attacker can exploit this vulnerability to disable the Content Distribution Service, causing a denial-of-service condition on affected Windows systems. No patch is currently available.
Digital Employee Experience is affected by cleartext transmission of sensitive information (CVSS 6.5).
Digital Employee Experience versions up to 26.1 is affected by improper link resolution before file access (CVSS 5.7).
SmarterMail before build 9518 allows unauthenticated attackers to exploit a path traversal flaw in the background preview endpoint by supplying base64-encoded UNC paths, forcing the Windows service to initiate SMB connections to attacker-controlled servers. This enables credential coercion and NTLM relay attacks without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. [CVSS 4.4 MEDIUM]
its Windows service configuration contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
its Windows service configuration contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).
its Windows service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. [CVSS 7.8 HIGH]
Acronis Cloud Manager for Windows before build 6.4.25342.354 is vulnerable to local privilege escalation through improperly configured folder permissions, allowing authenticated users with low privileges to escalate to higher privileges. An attacker with local access and user interaction can exploit this vulnerability to gain full system control. No patch is currently available for this vulnerability.
beat-access for Windows version 3.0.3 and prior allows local attackers with user privileges to execute arbitrary code with SYSTEM-level permissions through insecure DLL search path resolution. An attacker can exploit this vulnerability by placing a malicious DLL in a predictable location, which the application will load and execute during normal operation. No patch is currently available for this vulnerability.
DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path.
pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.
Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code exe...
KiteService Windows service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.
with the restriction that the password is only randomized if the configured date versions up to 2022. contains a security vulnerability.
MEmusvc Windows service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. [CVSS 7.8 HIGH]
DeepNetworkService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. [CVSS 8.4 HIGH]
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
from 6.0 versions up to 9.0 contains a vulnerability that allows attackers to access stored passwords in a recoverable format which makes them subject to pass.
SumatraPDF on Windows is vulnerable to a denial-of-service attack through a maliciously crafted Mobi file that triggers an integer underflow in record validation, causing an out-of-bounds heap read and application crash. The vulnerability stems from an off-by-one error in the PalmDbReader::GetRecord function that only occurs with exactly 2 records, and public exploit code is available. No patch has been released at this time.
Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware on managed devices across the fleet.
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
its Windows service configuration contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).
GVFS.Service Windows service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
its Encrypto Service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.
A flaw has been found in Artifex MuPDF versions up to 1.26.1 is affected by untrusted search path (CVSS 7.0).
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers without signature verification, allowing network attackers to perform man-in-the-middle attacks and inject malicious code. An attacker with any valid TLS certificate can intercept update requests and redirect users to a malicious installer, achieving arbitrary code execution on Windows systems. Public exploit code exists for this vulnerability and no patch is currently available.
PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserialization of the $type property in JSON files within Flow or App packages. A local attacker with user interaction can exploit this vulnerability to achieve full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions.
SumatraPDF versions 3.5.2 and earlier are vulnerable to a heap buffer over-read in the MOBI file parser due to incomplete bounds validation in the HuffDic decompressor, allowing attackers to crash the application by opening a malicious .mobi file. Public exploit code exists for this vulnerability. Local user interaction is required to trigger the vulnerability, and while denial of service is the primary impact, the out-of-bounds read could potentially leak sensitive memory contents.
SumatraPDF 3.5.2 and earlier on Windows allows arbitrary code execution when a user opens a PDF and selects "Show in folder," as the application executes a malicious explorer.exe binary from the same directory without warning. Public exploit code exists for this vulnerability, which affects any user who opens untrusted PDFs and interacts with the file menu option. An attacker can achieve code execution with the privileges of the victim's user account through a simple social engineering attack.
Dell Display and Peripheral Manager before version 2.2 on Windows contains an insecure link resolution flaw that allows local attackers with low privileges to escalate their access through the installer or service. An authenticated user can exploit improper symlink handling to gain elevated permissions on the system. No patch is currently available for this vulnerability.
Windows services registered by Oki Electric Industry, Ricoh, and Murata Machinery products use unquoted file paths, allowing a local user with write access to the system drive root to achieve arbitrary code execution with SYSTEM privileges. This vulnerability requires elevated permissions and local access to exploit, making it primarily a privilege escalation risk in multi-user environments. No patch is currently available for affected products.
SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. [CVSS 6.2 MEDIUM]
Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.
Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.
Improper access control in TeamViewer clients (Windows, macOS, Linux) before version 15.74.5 permits authenticated remote users to circumvent confirmation-based access restrictions during active sessions. An attacker with valid remote session credentials can gain unauthorized access without triggering the expected local confirmation prompt, requiring only prior authentication via ID/password, session link, or Easy Access.
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (...
multiple Windows services contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. [CVSS 7.8 HIGH]
Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. [CVSS 7.8 HIGH]
A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated [CVSS 3.3 LOW]
Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. [CVSS 6.7 MEDIUM]
Pc Helpsoft Driver Updater versions up to 9.1.57803.1174 is affected by improper access control (CVSS 7.8).
Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables (CVSS 7.8).
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7.
DeepMgmtService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. [CVSS 5.4 MEDIUM]
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]
Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. [CVSS 8.4 HIGH]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 5.3).
Db2 contains a vulnerability that allows attackers to cause a denial of service due to insufficient validation of special elements in (CVSS 6.5).
Db2 contains a vulnerability that allows attackers to cause a denial of service due to improper neutralization of special elements in (CVSS 6.5).
Db2 contains a vulnerability that allows attackers to a local user to cause a denial of service due to improper neutralization of spec (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to a local user with filesystem access to escalate their privileges due to the use (CVSS 8.4).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. [CVSS 6.8 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. [CVSS 6.2 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. [CVSS 7.2 HIGH]
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. [CVSS 6.2 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. [CVSS 6.5 MEDIUM]
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to excessive use of a glo (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. [CVSS 6.5 MEDIUM]
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. [CVSS 6.5 MEDIUM]
its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code contains a security vulnerability (CVSS 7.8).
Chef InSpec versions up to 5.23 and before 7.0.107 creates named pipes with overly permissive default Windows access controls.
Local Admin Service versions up to 1.2.7.23180 is affected by execution with unnecessary privileges (CVSS 7.8).
Icinga PowerShell Framework versions prior to 1.13.4, 1.12.4, and 1.11.2 expose private certificate keys due to overly permissive directory permissions that allow all local users read access to the certificate folder. A local attacker with user-level privileges can retrieve these private keys to impersonate the Icinga service or intercept monitoring communications. No patch is currently available; manual ACL restrictions on the certificate directory are required as a temporary mitigation.
Icinga 2 on Windows versions 2.3.0 through 2.15.1 fail to properly restrict file permissions on the `%ProgramData%\icinga2\var` directory, allowing any local user to read sensitive data including private keys and synchronized configurations. All Windows installations are affected, and attackers with local access can extract cryptographic material and configuration details for lateral movement or further compromise. Patches are available in versions 2.13.14, 2.14.8, and 2.15.2, with workarounds available through updated Icinga for Windows packages or manual ACL remediation.
Stack buffer overflow in Free MP3 CD Ripper 2.8 allows remote code execution via crafted WAV files. PoC available.
Log timestamp tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject malicious UDP Sync commands that corrupt event timestamps, undermining log integrity and forensic investigation capabilities. This input validation flaw affects Windows deployments of the NomadBranch service and could enable attackers to obscure the timeline of malicious activities or create misleading audit trails. No patch is currently available for this medium-severity vulnerability.
TeamViewer DEX Client versions before 26.1 contain an out-of-bounds read in the Content Distribution Service that enables remote attackers to leak stack memory and trigger denial of service without authentication. Successful exploitation could disclose memory contents useful for bypassing address space layout randomization and chaining with other vulnerabilities. No patch is currently available for this medium-severity flaw affecting Windows deployments.
Information disclosure and denial-of-service in TeamViewer DEX Client versions before 26.1 allows adjacent network attackers to trigger an out-of-bounds read via specially crafted packets, potentially leaking sensitive memory that could be leveraged to bypass ASLR protections. Affected Windows systems running the NomadBranch.exe content distribution service are vulnerable to attacks requiring only network proximity, with no authentication or user interaction needed.
Denial-of-service in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to crash the NomadBranch.exe service by sending specially crafted UDP packets that trigger a heap buffer overflow. The vulnerability stems from an integer underflow in the UDP command handler that can be exploited without authentication or user interaction. Currently, no patch is available and the attack requires network adjacency to the affected system.
Log tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject, modify, or forge entries in the NomadBranch.log file through the UDP network handler, compromising log integrity and audit trail reliability. An attacker with network access can send crafted packets to the Content Distribution Service to manipulate logging records without authentication, potentially obscuring malicious activity or creating false audit entries.
TeamViewer DEX Client versions prior to 26.1 contain a null pointer dereference in the NomadBranch.exe Content Distribution Service that allows adjacent network attackers to crash the process without authentication. An attacker can exploit this vulnerability to disable the Content Distribution Service, causing a denial-of-service condition on affected Windows systems. No patch is currently available.
Digital Employee Experience is affected by cleartext transmission of sensitive information (CVSS 6.5).
Digital Employee Experience versions up to 26.1 is affected by improper link resolution before file access (CVSS 5.7).
SmarterMail before build 9518 allows unauthenticated attackers to exploit a path traversal flaw in the background preview endpoint by supplying base64-encoded UNC paths, forcing the Windows service to initiate SMB connections to attacker-controlled servers. This enables credential coercion and NTLM relay attacks without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. [CVSS 4.4 MEDIUM]
its Windows service configuration contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
its Windows service configuration contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).
its Windows service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. [CVSS 7.8 HIGH]
Acronis Cloud Manager for Windows before build 6.4.25342.354 is vulnerable to local privilege escalation through improperly configured folder permissions, allowing authenticated users with low privileges to escalate to higher privileges. An attacker with local access and user interaction can exploit this vulnerability to gain full system control. No patch is currently available for this vulnerability.
beat-access for Windows version 3.0.3 and prior allows local attackers with user privileges to execute arbitrary code with SYSTEM-level permissions through insecure DLL search path resolution. An attacker can exploit this vulnerability by placing a malicious DLL in a predictable location, which the application will load and execute during normal operation. No patch is currently available for this vulnerability.
DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path.
pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.
Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code exe...
KiteService Windows service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.
with the restriction that the password is only randomized if the configured date versions up to 2022. contains a security vulnerability.
MEmusvc Windows service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. [CVSS 7.8 HIGH]
DeepNetworkService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. [CVSS 8.4 HIGH]
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
from 6.0 versions up to 9.0 contains a vulnerability that allows attackers to access stored passwords in a recoverable format which makes them subject to pass.
SumatraPDF on Windows is vulnerable to a denial-of-service attack through a maliciously crafted Mobi file that triggers an integer underflow in record validation, causing an out-of-bounds heap read and application crash. The vulnerability stems from an off-by-one error in the PalmDbReader::GetRecord function that only occurs with exactly 2 records, and public exploit code is available. No patch has been released at this time.
Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware on managed devices across the fleet.
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
its Windows service configuration contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).
GVFS.Service Windows service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
its Encrypto Service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.