Information Disclosure

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

CVE-2026-32766 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.

Memory corruption in MongoDB Server's slot-based execution engine can be triggered by authenticated users with write privileges through malicious $lookup aggregation queries that cause hash table spillover to disk. Successful exploitation enables denial of service and potential information disclosure, though a patch is not currently available. The attack requires network access and specific query construction, limiting the practical exploit window.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, allowing attackers to read memory beyond allocated buffer boundaries. Affinity version 3.0.1.3808 and potentially earlier versions are affected. By crafting a malicious EMF file, an unauthenticated attacker with local file system access can trigger the vulnerability through user interaction (opening the file), potentially disclosing sensitive information such as API keys, credentials, or other data resident in adjacent memory regions. The vulnerability has a CVSS score of 6.1 indicating medium severity with high confidentiality impact but limited integrity and availability consequences.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing an attacker to read memory beyond allocated buffer boundaries by crafting a malicious EMF file. This vulnerability affects Canva Affinity version 3.0.1.3808 and potentially earlier versions, and requires user interaction (opening a specially crafted file) but no elevated privileges to exploit. Successful exploitation can disclose sensitive information from process memory, with potential for limited availability impact; no public exploit code or active exploitation in the wild has been confirmed based on available intelligence.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, allowing an attacker to read memory beyond allocated buffer boundaries by supplying a specially crafted EMF file. Affected versions include Affinity 3.0.1.3808 and potentially other releases in the Affinity product line. Successful exploitation could disclose sensitive information from application memory, though the vulnerability does not enable code execution or denial of service; however, the local attack vector and user interaction requirement (opening a malicious file) limit real-world impact compared to network-exploitable vulnerabilities.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, affecting version 3.0.1.3808 and potentially earlier releases. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from adjacent memory regions. The vulnerability requires user interaction (opening a file) but no elevated privileges, with a CVSS score of 6.1 indicating moderate severity; while not currently listed in CISA's Known Exploited Vulnerabilities catalog, the straightforward attack vector and information disclosure impact warrant prompt patching.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling that allows attackers to read memory beyond allocated buffer boundaries. The vulnerability affects Affinity version 3.0.1.3808 and potentially other versions in the product line. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory, with a CVSS score of 6.1 indicating moderate severity with high confidentiality impact and limited availability impact.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, affecting Affinity 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, allowing disclosure of sensitive information from adjacent memory regions. While the CVSS score of 6.1 indicates moderate severity with high confidentiality impact, actual exploitation requires user interaction (opening a file) and is limited to information disclosure without code execution capability.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions in the product line; attackers with local access and user interaction can trigger the flaw to disclose sensitive information from process memory. While the CVSS score of 6.1 indicates medium severity with high confidentiality impact and low availability impact, the attack requires local file system access and user interaction (opening a malicious EMF file), limiting widespread exploitation risk.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk of information disclosure with minimal availability impact.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially earlier versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from the application's memory space. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk primarily through information disclosure, though local denial of service is also possible.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory such as authentication tokens, cryptographic keys, or other confidential data. The vulnerability requires user interaction (opening a file) and local access, making it a moderate-priority issue with a CVSS base score of 6.1, though the high confidentiality impact warrants prompt patching.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality that allows attackers to read memory beyond allocated buffer boundaries. Canva Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory; the vulnerability requires user interaction (opening the file) but no elevated privileges, making it a practical attack vector for phishing or drive-by downloads.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries by crafting malicious EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker with local access can exploit this vulnerability through user interaction (opening a crafted EMF file) to disclose sensitive information from process memory, with potential for denial of service through application crashes.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected, with the vulnerability requiring only local access and user interaction (opening a malicious file) to trigger. Successful exploitation enables disclosure of sensitive information from application memory, with potential limited impact on system availability; no active exploitation or public proof-of-concept has been confirmed at this time based on available intelligence sources.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) image processing functionality of Canva Affinity, enabling attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, allowing unauthenticated local attackers with no special privileges to trigger the flaw via user interaction (opening a malicious file). Successful exploitation can disclose sensitive information from process memory, with a secondary risk of application instability (low availability impact). No active exploitation in the wild or public proof-of-concept has been confirmed based on available intelligence, but the vulnerability has been formally disclosed by Talos Intelligence and tracked in NIST NVD and ENISA EUVD databases.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, requiring local access and user interaction (opening a malicious EMF file). Successful exploitation can lead to disclosure of sensitive information from process memory, with limited impact on system availability. No active exploitation in the wild has been confirmed via KEV status, and the CVSS 6.1 score reflects moderate risk balanced between high confidentiality impact and lower attack complexity.

Canva Affinity's EMF file parser is vulnerable to out-of-bounds read attacks when processing specially crafted files, allowing attackers to extract sensitive information from application memory. This local vulnerability requires user interaction to trigger and has no available patch, affecting users who open malicious EMF documents in Affinity.

Canva Affinity's EMF file parser is vulnerable to an out-of-bounds read (CWE-125) when processing specially crafted EMF files, allowing local attackers to extract sensitive data from application memory. This medium-severity vulnerability affects users who open untrusted EMF files and currently has no available patch. The attack requires user interaction and local access but poses a real information disclosure risk.

The password reset mechanism in Parse Server fails to enforce single-use guarantees on reset tokens, allowing attackers to exploit a race condition during concurrent password reset requests. An attacker who intercepts a password reset token can submit a password change request that races against the legitimate user's own reset attempt, potentially causing the attacker's new password to take effect while the user believes their own password was successfully changed. All Parse Server deployments using the password reset feature are affected, with patched versions available from the vendor (Parse Server versions 8.6.48 and later, and 9.6.0-alpha.28 and later).

Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. This affects all Devise applications using the default Confirmable configuration with email changes, and is patched in Devise v5.0.3.

JetKVM versions prior to 0.5.4 contain an authentication vulnerability that allows unlimited login attempts without rate limiting, enabling attackers to conduct brute-force attacks against user credentials. This affects KVM (Keyboard, Video, Mouse) over IP devices used for remote server management, potentially granting attackers administrative access to critical infrastructure. The vulnerability has been reported by CISA-CG and analyzed by security researchers at Eclypsium in their research on KVM device security risks.

JetKVM versions prior to 0.5.4 lack cryptographic verification of firmware update authenticity, allowing attackers positioned on the network or controlling the update server to inject malicious firmware that bypasses hash validation. This enables local attackers with user interaction to compromise system integrity through a man-in-the-middle attack or server compromise. A patch is available to address this vulnerability.

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates.

A brute-force authentication vulnerability exists in the GL-iNet Comet (GL-RM1) KVM device's web interface, which fails to implement rate limiting or account lockout mechanisms for login attempts. This allows remote attackers to systematically guess credentials and gain unauthorized access to the KVM management interface, potentially compromising all systems connected to the KVM device. The vulnerability affects GL-iNet Comet KVM versions prior to 1.7.2 and has a CVSS score of 7.5, indicating high severity for confidentiality impact.

GL-iNet Comet (GL-RM1) firmware verification fails to authenticate update packages cryptographically, allowing an attacker positioned on the network or controlling the update server to inject malicious firmware. An attacker exploiting this weakness could modify firmware binaries and their corresponding MD5 hashes to bypass integrity checks and gain code execution on affected devices. No patch is currently available.

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.

An authenticated user with read-only role can extract limited amounts of uninitialized stack memory through specially crafted issuances of the filemd5 command in MongoDB Server. This information disclosure vulnerability affects MongoDB Server versions 8.2 prior to 8.2.6, 8.0 prior to 8.0.20, and 7.0 prior to 7.0.31. An attacker with valid database read credentials can exploit this to leak sensitive data from process memory without requiring elevated privileges or user interaction.

Outline versions before 1.5.0 allow authenticated users to enumerate sensitive metadata from documents they shouldn't access via a logic flaw in the events.list API endpoint, exposing document IDs, activity timestamps, and titles of deleted items. This information disclosure enables attackers to bypass UUID protections and craft follow-up IDOR attacks to access restricted documents. The vulnerability requires authentication but affects all users with access to the Outline instance.

CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

A cryptographic vulnerability in the Stanford Javascript Crypto Library (SJCL) allows attackers to recover victims' ECDH private keys through a missing point-on-curve validation flaw. The vulnerability affects all versions of SJCL and enables remote attackers to send specially crafted off-curve public keys and observe ECDH outputs to extract private key material. A proof-of-concept exploit is publicly available, though the vulnerability is not currently listed in CISA KEV and has no EPSS score assigned yet.

Unauthenticated attackers can extract sensitive data from non-public custom post types in Royal Addons for Elementor WordPress plugin versions up to 1.7.1049 through improper access controls in the get_main_query_args() function. This allows exposure of private content including Contact Form 7 submissions and WooCommerce coupons without authentication. The vulnerability affects WordPress installations using this plugin and remains unpatched.

Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint.

Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.

A security vulnerability in Chamilo LMS (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.

File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.

The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.

Unauthenticated users can view a list of buckets the plugin has access to.

The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.

Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

A credential disclosure vulnerability exists in Glances monitoring tool when running in Central Browser mode with autodiscovery enabled. The vulnerability allows attackers on the same local network to steal reusable authentication credentials by advertising fake Glances services via Zeroconf, as the application trusts untrusted service names for password lookups instead of using verified IP addresses. A working proof-of-concept is included in the advisory, and the issue has a CVSS score of 8.1 indicating high severity.

The Glances system monitoring tool exposes reusable authentication credentials for downstream servers through an unauthenticated API endpoint when running in Central Browser mode without password protection. This vulnerability allows any network attacker to retrieve pbkdf2-hashed passwords that can be replayed to access protected Glances servers across an entire monitored fleet. A proof-of-concept is included in the advisory demonstrating credential extraction from the /api/4/serverslist endpoint.

A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.

A critical authentication bypass vulnerability exists in Tenda AC8 router firmware version 16.03.50.11 where the IPv6 handler function check_is_ipv6 relies on IP address for authentication, allowing remote attackers to gain unauthorized access. The vulnerability has a publicly available proof-of-concept exploit on GitHub and scores 9.8 CVSS, enabling complete compromise of the affected device with no authentication required. While not currently listed in CISA KEV, the combination of public exploit availability and ease of exploitation makes this a high-priority vulnerability for organizations using affected Tenda routers.

A critical information disclosure vulnerability in Glances system monitoring tool allows unauthenticated remote attackers to access sensitive configuration data including password hashes, SNMP community strings, and authentication keys through unprotected API endpoints. The vulnerability affects Glances versions prior to 4.5.2 when running in web server mode without password protection (the default configuration), and a proof-of-concept demonstrating the attack is publicly available. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a high CVSS score of 7.5 due to the ease of exploitation and severity of exposed secrets.

A critical physical access vulnerability in IncusOS allows attackers to bypass LUKS disk encryption without breaking Secure Boot or modifying the kernel. The vulnerability affects all IncusOS versions through mkosi prior to version 202603142010 and enables attackers with physical access to extract encryption keys by substituting the encrypted root partition with their own malicious partition. This vulnerability has been patched and a proof-of-concept attack methodology has been publicly documented.

Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.

ONNX's hub.load() function can be bypassed to load untrusted models without user confirmation when the silent parameter is enabled, allowing attackers to potentially deliver malicious models to applications that suppress security warnings. The vulnerability stems from improper logic in the repository trust verification mechanism that prioritizes the silent flag over security checks. This affects Python-based systems using ONNX and could lead to unauthorized code execution through model loading.

A remote code execution vulnerability in CityData CityChat (CVSS 2.5). Risk factors: public PoC available.

A remote code execution vulnerability in Albert Sağlık Hizmetleri ve Ticaret Albert Health (CVSS 2.5). Risk factors: public PoC available.

CVE-2026-21386 is a security vulnerability (CVSS 4.3) that allows an authenticated team member. Remediation should follow standard vulnerability management procedures.

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.

A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.

CVE-2026-27448 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.

A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

Improper access control in D-Link DIR-823G 1.0.2B05's goahead component allows unauthenticated remote attackers to manipulate multiple configuration functions including firewall, network, and security settings. The vulnerability affects a wide range of device management functions and has been publicly disclosed with no patch currently available. Affected organizations should implement network segmentation and access controls to limit exposure to this remotely exploitable flaw.

A arbitrary file access vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A vulnerability was found in Lagom WHMCS Template up to 2.3.7.

A security vulnerability in HCL AION (CVSS 4.8). Remediation should follow standard vulnerability management procedures.

HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.

HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.

Mattermost fails to properly validate User-Agent header tokens in versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier, allowing authenticated attackers to trigger request panics through specially crafted User-Agent headers. This denial-of-service vulnerability affects availability but requires prior authentication and results in only low-severity impact. While the CVSS score of 4.3 reflects the low severity, the practical risk depends on whether the application is exposed to untrusted authenticated users and whether automatic exploitation tools are readily available.

Mattermost versions 11.3.x up to and including 11.3.0 contain an information disclosure vulnerability where burn-on-read posts fail to maintain their redacted state when deleted, allowing authenticated channel members to view previously hidden message contents through WebSocket post deletion events. The vulnerability requires low-privilege authenticated access and results in confidentiality loss of sensitive communications that were intentionally designed to be self-destructing. With a CVSS score of 4.3 and network-based attack vector, this represents a meaningful but contained risk primarily affecting organizations relying on Mattermost's burn-on-read feature for secure internal communications.

Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts without triggering account lockout, rate limiting, or multi-factor authentication challenges. Versions prior to 1.4.6 are affected, and an attacker can systematically enumerate valid usernames and crack passwords through high-volume credential stuffing attacks. The vulnerability represents a significant authentication bypass risk that could lead to unauthorized administrative access depending on password strength and user enumeration feasibility.

Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages reveal whether a login exists in the system, enabling attackers to build valid user lists for targeted brute force attacks. This vulnerability affects Raytha CMS versions prior to 1.5.0. The moderate CVSS score of 6.9 reflects the information disclosure risk, though real-world impact depends on how attackers chain this enumeration with other attacks.

A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwarded-Host or Host headers, leading to account takeover. The vulnerability affects all versions prior to 1.4.6 and requires only that the attacker knows the victim's email address to initiate the attack chain. With a CVSS 7.5 score and requiring user interaction, this represents a significant authentication bypass risk for organizations using the affected CMS versions.

Mattermost fails to properly sanitize client-supplied post metadata in its post update API endpoint, allowing authenticated attackers to spoof permalink embeds and impersonate other users through crafted PUT requests. The vulnerability affects Mattermost versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier. While the CVSS score of 4.3 is moderate and requires authentication, the integrity impact allows attackers to deceive users by falsely attributing messages to legitimate users, potentially facilitating social engineering or misinformation campaigns within Mattermost instances.

A sensitive information disclosure vulnerability in Mattermost Plugins versions 2.0.3.0 and earlier fails to properly mask sensitive configuration values in support packets, allowing attackers with high privileges to extract original plugin settings from exported configuration data. The vulnerability requires authenticated access with high privileges (CVSS 7.6) and enables attackers to obtain sensitive configuration data that should be masked, potentially exposing API keys, credentials, or other sensitive plugin configurations. No active exploitation or proof-of-concept has been reported, and the vulnerability requires significant access privileges to exploit.

Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

An Insecure Direct Object Reference (IDOR) vulnerability exists in Campus Educativa at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' that allows unauthenticated attackers to enumerate and download profile photographs of all users by manipulating URL parameters. Successful exploitation enables mass collection of user photos for identity impersonation, social engineering, facial recognition-based identity linking across platforms, and doxxing attacks. With a CVSS score of 6.9 and no authentication required, this vulnerability poses a moderate-to-significant risk to user privacy and security.

An Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa allows unauthenticated attackers to access sensitive user data including usernames, full names, email addresses, and phone numbers of all enrolled students by manipulating course IDs in the export endpoint. The vulnerability requires no authentication and can be exploited remotely through simple URL manipulation and brute-force attacks on course IDs. With a CVSS score of 8.7 and network-based attack vector, this represents a critical data exposure risk for educational institutions using Campus Educativa.

An authentication bypass vulnerability in Tinycontrol network devices (tcPDU and LAN Controllers LK3.5, LK3.9, LK4) exposes usernames and encoded passwords for both normal and admin users through unauthenticated HTTP requests to the login page. The vulnerability affects devices running older firmware versions when the secondary authentication mechanism is disabled (default setting), allowing any attacker on the local network to harvest credentials without authentication. With an EPSS score of 0.00043 and no KEV listing, this vulnerability shows low real-world exploitation activity despite its high CVSS score of 8.7.