Information Disclosure

The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open() calls to shell.openExternal(), allowing attackers to invoke arbitrary local applications, open files, or trigger custom protocol handlers. Vikunja versions 0.21.0 through 2.1.x are affected, with the vulnerability patched in version 2.2.0. An attacker who can inject links with target="_blank" into user-generated content can exploit this to execute malicious actions on the victim's operating system without user awareness or explicit consent.

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).

Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite worker process memory via specially crafted MP4 files, leading to denial of service. The vulnerability requires the mp4 directive to be enabled in the configuration and an attacker's ability to trigger MP4 file processing. No patch is currently available for affected deployments.

A boundary condition vulnerability exists in Firefox's Graphics Text component that allows information disclosure through incorrect memory handling during text rendering operations. This affects Firefox versions below 149 and Firefox ESR versions below 140.9, potentially enabling attackers to read sensitive data from adjacent memory regions. No active exploitation in the wild has been confirmed, but the vulnerability warrants prompt patching given its information disclosure impact.

An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially leading to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this through WebRTC signaling interactions to disclose sensitive information, though specific exploitation details remain limited in public disclosures.

Mozilla Firefox versions below 149 and Firefox ESR below 140.9 contain memory safety flaws in the JavaScript Engine that enable remote code execution and denial of service attacks without user interaction or special privileges. An unauthenticated attacker can exploit improper boundary condition handling and uninitialized memory to achieve high-impact confidentiality violations and system availability disruption. No patch is currently available.

An uninitialized memory vulnerability exists in Firefox and Firefox ESR's Graphics Canvas2D component that can lead to information disclosure. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit this by crafting malicious Canvas2D operations to read uninitialized memory contents from the graphics rendering pipeline, potentially exposing sensitive data from the browser process.

An incorrect boundary condition vulnerability exists in the Audio/Video component of Mozilla Firefox and Firefox ESR, allowing potential information disclosure through improper memory handling. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker may exploit this vulnerability to leak sensitive information from the browser process memory by triggering specific audio or video processing operations, though active exploitation status is not confirmed at this time.

An incorrect boundary condition vulnerability exists in the Graphics component of Mozilla Firefox and Firefox ESR, allowing information disclosure through improper memory access. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker can exploit this vulnerability to read sensitive information from memory by triggering the boundary condition in graphics processing operations.

An information disclosure vulnerability exists in the Widget: Cocoa component of Mozilla Firefox and Firefox ESR, allowing attackers to access sensitive information through the affected rendering engine. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are vulnerable. The vulnerability permits unauthorized information leakage, though the specific attack mechanism and data exposure scope require analysis of the referenced Mozilla security advisories.

Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.

A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.

A boundary condition vulnerability exists in Firefox's Audio/Video GMP (Gecko Media Plugin) component that enables information disclosure to attackers. This flaw affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in media processing to disclose sensitive information from the affected browser process.

A boundary condition error in Firefox's Graphics component allows information disclosure through improper memory access validation. This vulnerability affects Firefox versions below 149 and Firefox ESR versions below 140.9, enabling attackers to read sensitive memory contents from the graphics processing context. While no CVSS score or EPSS data is currently available, the vulnerability is documented across multiple Mozilla security advisories indicating active awareness by the vendor.

A boundary condition vulnerability exists in Mozilla Firefox's Graphics Canvas2D component that enables information disclosure attacks. The vulnerability affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in Canvas2D operations to read sensitive data from memory, potentially disclosing user information or browser-internal data through a web-based attack vector.

This vulnerability involves incorrect boundary conditions in the Firefox Graphics Canvas2D component that can lead to information disclosure. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to access sensitive memory information through specially crafted Canvas2D operations, potentially exposing user data or system information.

An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.

An undefined behavior vulnerability exists in the Firefox Audio/Video component that could lead to information disclosure. This affects all Firefox versions prior to 149. While specific exploitation details are limited due to missing CVSS and CWE data, the vulnerability's classification as information disclosure suggests an attacker could potentially access sensitive audio or video processing data or bypass security boundaries within the multimedia subsystem.

Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.

A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.

Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.

A boundary condition vulnerability exists in Firefox's Layout: Text and Fonts component that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR versions below 115.34, and Firefox ESR versions below 140.9. An attacker could exploit incorrect boundary handling in text and font rendering to potentially disclose sensitive information from memory, though specific exploitation details and active exploitation status are not publicly documented in the available intelligence.

A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.

A boundary condition vulnerability exists in Firefox and Firefox ESR's Audio/Video Web Codecs component that allows information disclosure. The vulnerability affects Firefox versions prior to 149 and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to disclose sensitive information, potentially leveraging web-based attack vectors without requiring elevated privileges.

Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.

A boundary condition vulnerability exists in Firefox's Audio/Video Web Codecs component that allows information disclosure to attackers. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit incorrect boundary condition handling in codec processing to read sensitive memory contents or application state.

An incorrect boundary condition vulnerability exists in the Audio/Video playback component of Mozilla Firefox, affecting Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. This flaw enables information disclosure through improper memory boundary handling during media playback operations. While specific exploit details and CVSS metrics are not publicly disclosed, the vulnerability is categorized as an information disclosure issue affecting all three Firefox release channels.

A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context.

Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.

Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.

A sandbox escape vulnerability exists in Firefox's Telemetry component due to incorrect boundary condition handling, allowing attackers to potentially break out of the browser sandbox and access system resources or sensitive data. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. The vulnerability enables information disclosure and potentially arbitrary code execution by circumventing the sandbox isolation mechanism that normally restricts browser processes.

An incorrect boundary condition vulnerability exists in Firefox's Graphics Canvas2D component that can lead to information disclosure. This affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this boundary condition issue to disclose sensitive information through crafted Canvas2D operations, though no active exploitation or public proof-of-concept has been reported at this time.

This vulnerability involves incorrect boundary conditions in Firefox's Graphics Canvas2D component that enables information disclosure. Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9 are affected. An attacker can leverage improper boundary validation in Canvas2D operations to read sensitive information from memory that should not be accessible through normal web content restrictions.

Mozilla Firefox's WebRender graphics component contains a race condition and use-after-free vulnerability that enables remote code execution when a user visits a malicious webpage. The flaw affects Firefox versions prior to 149, Firefox ESR versions before 115.34 and 140.9, and requires user interaction to trigger. No patch is currently available for this high-severity issue.

Checkmk exposes its session signing secret in configurations synchronized between remote and central sites, allowing a remote site administrator to forge valid session cookies and hijack user sessions on the central monitoring instance. This vulnerability affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and all 2.2.0 releases when configuration synchronization is enabled. An attacker with administrative privileges on a remote Checkmk site can leverage this exposure to impersonate any user, including central site administrators, potentially gaining complete control over the monitoring infrastructure.

A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenticated remote attackers to inject malicious format specifiers into log messages. This affects numerous CODESYS Control products across multiple platforms including Windows, Linux, embedded systems (BeagleBone, Raspberry Pi, PFC100/200), and industrial controllers (Beckhoff CX, WAGO Touch Panels). Exploitation can lead to denial-of-service conditions by crashing the runtime system, with a CVSS score of 7.5 indicating high availability impact.

A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.

This vulnerability is a memory leak (CWE-401) in Android-ImageMagick7, a port of ImageMagick for Android, that allows remote attackers to cause denial of service by exhausting memory resources. The issue affects all versions of MolotovCherry Android-ImageMagick7 prior to version 7.1.2-11. With a CVSS score of 7.5 and a network-based attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), attackers can remotely trigger high-impact availability disruption, though there is no current evidence of active exploitation or public proof-of-concept.

Memory leaks in MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11 allow remote attackers to cause denial of service by exhausting available memory without authentication. The vulnerability stems from improper memory management that fails to release resources after use, potentially crashing applications or rendering devices unresponsive.

RetroDebugger versions before 0.64.72 contain an out-of-bounds read vulnerability that allows remote attackers to cause denial of service and potentially disclose sensitive information without authentication or user interaction. The network-accessible vulnerability has a CVSS score of 9.1 and a patch is available.

Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.

An information disclosure vulnerability exists in albfan miraclecast before version 1.0 that allows unauthenticated attackers on an adjacent network to access sensitive information. The vulnerability affects miraclecast across all versions prior to v1.0 via an unspecified mechanism (CWE-noinfo). While the CVSS score is 6.5 (medium-high), the attack vector is adjacent network (AV:A) rather than network-wide, and no active exploitation in the wild or known public proof-of-concept has been reported at this time.

Out-of-bounds read vulnerability in Notepad3's Oniguruma regex engine (regcomp.C) allows local attackers with user interaction to trigger memory disclosure or potential code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions before 6.25.714.1 and has a critical CVSS score of 9.3. A patch is available and users should update immediately.

An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.

ixray-1.6-stcop before version 1.3 contains an Exposure of Sensitive Information vulnerability (CWE-200) that allows unauthenticated remote attackers to access unauthorized data. The vulnerability has a CVSS score of 5.3 with low attack complexity and no user interaction required, making it accessible over the network. While the vulnerability does not impact confidentiality or integrity according to the CVSS vector, the availability impact warrants immediate patching.

Mod_gnutls versions prior to 0.13.0 fail to validate the Extended Key Usage (EKU) extension during client certificate verification, allowing an attacker with a valid certificate issued for a different purpose to improperly authenticate for TLS client certificate-based access. Only Apache HTTPD servers configured to use client certificate authentication (via GnuTLSClientVerify settings other than 'ignore') are affected. The vulnerability enables unauthorized information disclosure through certificate misuse, with a CVSS score of 6.8 reflecting high confidentiality impact but requiring non-trivial attack complexity.

This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.

Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.

Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.

Microsoft Briefcase Windows MSI installers with per-machine scope create directories that inherit parent permissions insecurely, allowing authenticated local users to modify or replace application binaries. An attacker with low privileges can exploit this misconfiguration to inject malicious code that executes with administrator rights when launched. A patch is available addressing the vulnerable WXS file template generation.

OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.

OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.

OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.

OpenClaw before version 2026.2.25 fails to implement durable replay state validation for Nextcloud Talk webhook events, allowing attackers to capture and replay previously valid signed webhook requests to cause duplicate processing. This affects all versions of OpenClaw prior to the patched release, and an attacker with network access can exploit this vulnerability without authentication or user interaction to trigger integrity and availability impacts such as duplicate message processing or resource exhaustion.

OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.

A security vulnerability in An incomplete fix for CVE-2024-47778 (CVSS 5.1) that allows an out-of-bounds read. Remediation should follow standard vulnerability management procedures.

Rails Active Storage's DiskService#delete_prefixed method fails to escape glob metacharacters when passing blob keys to Dir.glob, allowing attackers to delete unintended files from the storage directory if blob keys contain attacker-controlled input or custom-generated keys with glob metacharacters. This affects Ruby on Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1, and while no CVSS score or EPSS data is currently available, the vulnerability represents a significant integrity and availability risk as it enables arbitrary file deletion on the server filesystem.

Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.

Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.

Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

A publicly accessible endpoint in Blinko prior to version 1.8.4 discloses sensitive user information including usernames, roles, and account creation dates without requiring authentication, allowing unauthenticated attackers to enumerate all user accounts. This information disclosure vulnerability (CWE-200) affects Blinko versions below 1.8.4 and has been patched in the latest release. The vulnerability is remotely exploitable over the network with minimal attack complexity and no privilege requirements, making it a significant privacy and enumeration risk for deployed instances.

A Server-Side Request Forgery (SSRF) vulnerability exists in the external page migration feature of the Page Management Plugin (Connect CMS), allowing authenticated attackers with page management screen access to make the server perform requests to internal destinations and disclose sensitive information. The vulnerability affects Connect CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, with patches available in versions 1.41.1 and 2.41.1 respectively. With a CVSS score of 6.8 and moderate attack complexity requiring high privileges, this represents a real but bounded risk primarily to organizations running older plugin versions with administrative users who may be compromised or malicious.

An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.

An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management.

The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

A hardcoded cryptographic key in the configuration mechanism of TP-Link Archer NX series routers (NX200, NX210, NX500, NX600) allows authenticated attackers to decrypt, modify, and re-encrypt device configuration files, compromising both confidentiality and integrity of router settings. This vulnerability affects multiple hardware versions across all four product lines, with patches now available from the vendor. While no public exploit code or active KEV status has been reported, the authenticated attack requirement and widespread deployment of these consumer routers present moderate real-world risk.

GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.

A specially crafted XCOFF object file can trigger an out-of-bounds memory read in the GNU Binutils BFD library due to improper validation of relocation type values. This affects Red Hat Enterprise Linux versions 6 through 10 and Red Hat OpenShift Container Platform 4, potentially allowing local attackers with user interaction to crash affected tools or disclose sensitive memory contents. While not currently listed in CISA KEV as actively exploited, the vulnerability is tracked across Red Hat, Sourceware, and Bugzilla with upstream references indicating visibility and likely patch development.

Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.

HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on its authentication interface, enabling attackers to conduct brute-force attacks against user credentials without operational resistance. This vulnerability affects the Nebula 300+ device family as confirmed through CPE matching. An attacker with network access to the authentication interface can enumerate valid accounts and attempt unlimited password guesses, potentially compromising administrative or user-level access to the device.

The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in plaintext within exported configuration backup files, enabling information disclosure through CWE-256 (Plaintext Storage of Password). This vulnerability affects firmware versions through 12.01.01.37 and allows an attacker who gains access to a backup file to immediately obtain full administrative and wireless network access without requiring cryptographic attacks. No CVSS score, EPSS data, or active KEV designation is currently available, but the plaintext credential exposure represents a critical risk for any environment relying on configuration backups.

A hidden functionality vulnerability exists in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37, allowing unauthenticated remote attackers to enable a Telnet service that exposes a privileged diagnostic management interface. This significantly expands the attack surface and enables further device compromise through an unencrypted network protocol. No CVSS score, EPSS data, or KEV status is currently available, but the severity is elevated given the remote nature of exploitation and the direct access to privileged diagnostic functions.

The Shenzhen HCC Technology MPOS M6 PLUS device running firmware version 1V.31-N contains a cleartext transmission vulnerability in its Cardholder Data Handler component that allows attackers on the local network to intercept sensitive information. An attacker with network access can manipulate the affected component to force transmission of cardholder data in cleartext, compromising payment card information. A publicly available proof-of-concept exists on GitHub, and the vulnerability has a CVSS score of 3.1 (low severity) due to high attack complexity requirements, though the exploitation difficulty rating suggests real-world risk depends heavily on network proximity and attacker capabilities.

Keycloak contains an information disclosure vulnerability in the identity-first login flow when Organizations are enabled, where differential error messages allow remote attackers to enumerate valid user accounts without authentication. The vulnerability affects Red Hat Build of Keycloak across multiple versions, and while the CVSS score is low (3.7), the attack requires only network access with no user interaction. This user enumeration flaw could facilitate credential stuffing, phishing, or social engineering campaigns by confirming the existence of target accounts.

A hidden function in the CLI prompt of multiple WAGO industrial and lean managed switches allows unauthenticated remote attackers to escape the restricted interface and gain root access to the underlying Linux operating system. This results in complete device compromise with a maximum CVSS score of 10.0. The vulnerability affects over a dozen WAGO switch models used in industrial automation environments, and was disclosed by CERT@VDE.

This vulnerability in Intel EPT (Extended Page Tables) paging code within Xen allows information disclosure through a use-after-free condition in cached EPT state management. When paging structures are freed before cached EPT state is flushed, stale entries can persist in the EPT cache pointing to memory ranges outside the guest's intended ownership, enabling unauthorized memory access. Xen across multiple versions is affected, with Ubuntu tracking the issue at medium priority across 7 releases and Debian across 7 releases, making this a widespread concern for virtualization infrastructure.

King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. A proof-of-concept exists and the vulnerability has moderate real-world risk due to its low attack complexity and local attack vector.

A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. A proof-of-concept exploit is available (https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586), and the CVSS score of 8.7 with Proof-of-concept Exploitation status indicates active research interest.

The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functions that allows attackers to recover private DSA keys through nonce bias exploitation. Versions 7.0.0 through 11.1.0 are affected. A proof-of-concept is publicly available (referenced in GitHub Gist), demonstrating the attack feasibility, and the vulnerability requires no authentication or user interaction for remote exploitation.

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. A proof-of-concept exploit exists as indicated by the CVSS exploitability metric and public GitHub references demonstrating the attack technique.

A cryptographic signature verification vulnerability exists in the jsrsasign JavaScript library before version 11.1.1 that allows attackers to forge DSA signatures and X.509 certificates. The vulnerability affects DSA domain-parameter validation in KJUR.crypto.DSA.setPublic, enabling complete bypass of signature verification by supplying malicious domain parameters (g=1, y=1, r=1). A proof-of-concept exploit is publicly available (CVSS:3.1 E:P rating) demonstrating active exploitation feasibility, though the attack complexity is rated high and no KEV listing indicates limited widespread exploitation to date.

A code injection vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.2 within the Quartz Job Handler component, specifically in the /monitor/job/ endpoint where the invokeTarget parameter is improperly sanitized. An authenticated attacker with high privileges can remotely inject and execute arbitrary code on the affected system. A proof-of-concept has been publicly disclosed on GitHub (M0onc/RuoYi-Quartz-RCE), and the vendor has not responded to early disclosure notifications, increasing the real-world exploitation risk despite the moderate CVSS score of 4.7.