CVE & Exploit Intelligence Database

CVE-2026-29788 EPSS 0.00

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.

CWE-1287 Mar 06, 2026

CVE-2026-2004 8.8 HIGH EPSS 0.00

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CWE-1287 Feb 12, 2026

CVE-2026-2003 4.3 MEDIUM EPSS 0.00

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CWE-1287 Feb 12, 2026

CVE-2026-20119 7.5 HIGH EPSS 0.00

A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

CWE-1287 Feb 04, 2026

CVE-2026-24307 9.3 CRITICAL EPSS 0.00

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CWE-1287 Jan 22, 2026

CVE-2025-53627 5.3 MEDIUM EPSS 0.00

Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue.

CWE-1287 Dec 29, 2025

CVE-2025-12689 6.5 MEDIUM EPSS 0.00

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

CWE-1287 Dec 17, 2025

CVE-2025-13352 3.0 LOW EPSS 0.00

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

CWE-1287 Dec 17, 2025

CVE-2024-2105 6.5 MEDIUM EPSS 0.00

An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.

CWE-1287 Dec 10, 2025

CVE-2025-32901 4.3 MEDIUM 1 PoC Analysis EPSS 0.00

In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.

CWE-1287 Dec 05, 2025

CVE-2025-20756 6.5 MEDIUM EPSS 0.00

In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643.

CWE-1287 Dec 02, 2025

CVE-2025-60633 6.5 MEDIUM EPSS 0.00

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

CWE-1287 Nov 24, 2025

CVE-2025-12977 9.1 CRITICAL EPSS 0.00

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.

CWE-1287 Nov 24, 2025

CVE-2025-41729 7.5 HIGH EPSS 0.00

An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.

CWE-1287 Nov 24, 2025

CVE-2025-9524 4.3 MEDIUM EPSS 0.00

The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account.

CWE-1287 Nov 11, 2025

CVE-2025-8108 6.7 MEDIUM EPSS 0.00

An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CWE-1287 Nov 11, 2025

CVE-2025-6298 6.7 MEDIUM EPSS 0.00

ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CWE-1287 Nov 11, 2025

CVE-2025-4645 6.7 MEDIUM EPSS 0.00

An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CWE-1287 Nov 11, 2025

CVE-2025-59278 7.8 HIGH EPSS 0.00

Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.

CWE-1287 Oct 14, 2025

CVE-2025-59277 7.8 HIGH EPSS 0.00

Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.

CWE-1287 Oct 14, 2025