Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Archived Security Brief
Yesterday's vulnerability disclosures revealed 5 critical CVEs, representing an 86% decrease from the prior day's 37 critical findings. High-priority vulnerabilities remained steady at 100, unchanged from the previous reporting period. Five actively exploited vulnerabilities require attention, including CVE-2025-14847 affecting MongoDB, CVE-2026-20805 targeting Microsoft Windows, and CVE-2025-37164 in HPE OneView. Notable critical vulnerabilities include CVE-2026-22686 and CVE-2026-23550, both scoring CVSS 10.0, affecting Enclave JavaScript sandbox and Modular DS respectively, along with CVE-2025-14301 impacting WooCommerce integrations. Patch availability stands at 0%, necessitating compensating controls and monitoring until vendor updates become available.
5 critical CVEs disclosed, down 86% from 37 the prior day
100 high-priority CVEs, unchanged from previous reporting period
5 actively exploited vulnerabilities affecting MongoDB, Microsoft Windows, HPE OneView, and Gogs
0% patch availability for disclosed vulnerabilities
WordPress plugins (Integration Opvius AI, News and Blog Designer Bundle) and enterprise systems (MongoDB Server, HPE OneView) among affected products
Immediate action: Organizations running MongoDB, Microsoft Windows, HPE OneView, Gogs, or affected WordPress plugins should implement network segmentation and enhanced monitoring as compensating controls. With no patches currently available, prioritize vulnerability scanning to identify exposed assets and establish alerting for vendor security bulletins.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
⏰ Federal Deadline:January 18, 2026(4 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2009-0556
9.5
MicrosoftOffice
⏰ Federal Deadline:January 27, 2026(13 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-37164
9.5📝
Hewlett Packard Enterprise (HPE)OneView
⏰ Federal Deadline:January 27, 2026(13 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2025-8110
9.5
GogsGogs
⏰ Federal Deadline:February 1, 2026(18 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-20805
9.5
MicrosoftWindows
⏰ Federal Deadline:February 2, 2026(19 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2025-14301
9.8📝
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions upMultiple Products
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.
CVSS Base9.8
→
CRSSelect profile
CVE-2025-14502
9.8📝
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions upMultiple Products
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
CVSS Base9.8
→
CRSSelect profile
CVE-2026-22686
10📝
Enclave is a secure JavaScript sandbox designed for safe AI agent codeMultiple Products
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.
CVSS Base10
→
CRSSelect profile
CVE-2026-23550
10📝
Incorrect Privilege Assignment vulnerability in Modular DS allows PrivilegeMultiple Products
Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1.
CVSS Base10
→
CRSSelect profile
CVE-2025-70968
9.8📝
FreeImageMultiple Products
FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE().
CVSS Base9.8
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2025-25249
8.1📝
FortinetMultiple Products
A heap-based buffer overflow vulnerability in Fortinet FortiOS 7
CVSS Base8.1
→
CRSSelect profile
CVE-2026-20868
8.8📝
UnknownMultiple Products
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50911
8.8📝
UnknownMultiple Products
Bitrix24 contains an authenticated remote code execution vulnerability that allows logged-in attackers to execute arbitrary system commands through the PHP command line admin interface
CVSS Base8.8
→
CRSSelect profile
CVE-2026-0859
7.8📝
webMultiple Products
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server
CVSS Base7.8
→
CRSSelect profile
CVE-2026-22817
8.2📝
HonoMultiple Products
Hono is a Web application framework that provides support for any JavaScript runtime
CVSS Base8.2
→
CRSSelect profile
CVE-2026-22818
8.2📝
HonoMultiple Products
Hono is a Web application framework that provides support for any JavaScript runtime
CVSS Base8.2
→
CRSSelect profile
CVE-2026-20947
8.8📝
MicrosoftMultiple Products
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network
CVSS Base8.8
→
CRSSelect profile
CVE-2026-20963
8.8📝
MicrosoftMultiple Products
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network
CVSS Base8.8
→
CRSSelect profile
CVE-2026-20832
7.8📝
WindowsMultiple Products
Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20843
7.8📝
ImproperMultiple Products
Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20952
8.4📝
MicrosoftMultiple Products
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally
CVSS Base8.4
→
CRSSelect profile
CVE-2026-20953
8.4📝
MicrosoftMultiple Products
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally
CVSS Base8.4
→
CRSSelect profile
CVE-2026-20820
7.8📝
UnknownMultiple Products
Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20822
7.8📝
MicrosoftMultiple Products
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20837
7.8📝
UnknownMultiple Products
Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20840
7.8
UnknownMultiple Products
Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20858
7.8
UseMultiple Products
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20859
7.8
UseMultiple Products
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2025-36640
8.8📝
hasMultiple Products
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges
CVSS Base8.8
→
CRSSelect profile
CVE-2026-23492
8.8
PimcoreMultiple Products
Pimcore is an Open Source Data & Experience Management Platform
CVSS Base8.8
→
CRSSelect profile
CVE-2026-0532
8.6
GoogleMultiple Products
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration
CVSS Base8.6
→
CRSSelect profile
CVE-2026-23512
8.6
SumatraPDFMultiple Products
SumatraPDF is a multi-format reader for Windows
CVSS Base8.6
→
CRSSelect profile
CVE-2026-20944
8.4📝
MicrosoftMultiple Products
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50931
8.4
TeamSpeakMultiple Products
TeamSpeak 3
CVSS Base8.4
→
CRSSelect profile
CVE-2025-59022
8.1
BackendMultiple Products
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table
CVSS Base8.1
→
CRSSelect profile
CVE-2026-0891
8.1
FirefoxMultiple Products
Memory safety bugs present in Firefox ESR 140
CVSS Base8.1
→
CRSSelect profile
CVE-2026-20856
8.1
WindowsMultiple Products
Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network
CVSS Base8.1
→
CRSSelect profile
CVE-2026-20931
8
ExternalMultiple Products
External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network
CVSS Base8
→
CRSSelect profile
CVE-2026-20809
7.8
UnknownMultiple Products
Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20810
7.8
FreeMultiple Products
Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20811
7.8
AccessMultiple Products
Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20816
7.8
UnknownMultiple Products
Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20817
7.8
ImproperMultiple Products
Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20826
7.8
ConcurrentMultiple Products
Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20831
7.8
UnknownMultiple Products
Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20857
7.8
UntrustedMultiple Products
Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20860
7.8
AccessMultiple Products
Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20861
7.8
ConcurrentMultiple Products
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2025-13444
8.4
API in ProgressMultiple Products
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
CVSS Base8.4
→
CRSSelect profile
CVE-2025-13447
8.4
API in ProgressMultiple Products
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50917
8.4
ProtonVPNMultiple Products
ProtonVPN 1
CVSS Base8.4
→
CRSSelect profile
CVE-2025-11669
8.1
PasswordMultiple Products
Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality
CVSS Base8.1
→
CRSSelect profile
CVE-2025-58411
8.8
SoftwareMultiple Products
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario
CVSS Base8.8
→
CRSSelect profile
CVE-2025-10865
7.8
SoftwareMultiple Products
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free
CVSS Base7.8
→
CRSSelect profile
CVE-2026-20864
7.8
UnknownMultiple Products
Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally
CVSS Base7.8
→
CRSSelect profile
CVE-2025-13774
8.8
priorMultiple Products
A vulnerability exists in Progress Flowmon ADS versions prior to 12
CVSS Base8.8
→
CRSSelect profile
CVE-2026-0880
8.8
SandboxMultiple Products
Sandbox escape due to integer overflow in the Graphics component
CVSS Base8.8
→
CRSSelect profile
CVE-2026-0882
8.8
UnknownMultiple Products
Use-after-free in the IPC component
CVSS Base8.8
→
CRSSelect profile
CVE-2026-22861
8.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50806
8.8
UnknownMultiple Products
4images 1
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50898
8.8
NanoCMSMultiple Products
NanoCMS 0
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50907
8.8
CMSMultiple Products
e107 CMS version 3
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50909
8.8
AlgoMultiple Products
Algo 8028 Control Panel version 3
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50916
8.8
CMSMultiple Products
e107 CMS version 3
CVSS Base8.8
→
CRSSelect profile
CVE-2022-50936
8.8
CMSMultiple Products
WBCE CMS version 1
CVSS Base8.8
→
CRSSelect profile
CVE-2025-66698
8.6
issueMultiple Products
An issue in Semantic machines v5
CVSS Base8.6
→
CRSSelect profile
CVE-2026-21267
8.6
DesktopMultiple Products
Dreamweaver Desktop versions 21
CVSS Base8.6
→
CRSSelect profile
CVE-2026-21268
8.6
DesktopMultiple Products
Dreamweaver Desktop versions 21
CVSS Base8.6
→
CRSSelect profile
CVE-2026-21271
8.6
DesktopMultiple Products
Dreamweaver Desktop versions 21
CVSS Base8.6
→
CRSSelect profile
CVE-2026-21272
8.6
DesktopMultiple Products
Dreamweaver Desktop versions 21
CVSS Base8.6
→
CRSSelect profile
CVE-2026-21280
8.6
IllustratorMultiple Products
Illustrator versions 29
CVSS Base8.6
→
CRSSelect profile
CVE-2022-50693
8.4
SplashtopMultiple Products
Splashtop 8
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50808
8.4
CoolerMasterMultiple Products
CoolerMaster MasterPlus 1
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50900
8.4
WondershareMultiple Products
Wondershare Dr
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50901
8.4
WondershareMultiple Products
Wondershare Dr
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50902
8.4
WondershareMultiple Products
Wondershare FamiSafe 1
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50903
8.4
WondershareMultiple Products
Wondershare MobileTrans 3
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50904
8.4
WondershareMultiple Products
Wondershare UBackit 2
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50913
8.4
ITeCMultiple Products
ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50914
8.4
DataMultiple Products
EaseUS Data Recovery 15
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50915
8.4
PTPublisherMultiple Products
PTPublisher 2
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50918
8.4
RuntimeMultiple Products
VIVE Runtime Service 1
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50920
8.4
UnknownMultiple Products
Sandboxie-Plus 5
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50921
8.4
UnknownMultiple Products
WOW21 5
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50923
8.4
CobianMultiple Products
Cobian Backup 0
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50924
8.4
InternetMultiple Products
Private Internet Access 3
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50928
8.4
BlueSoleilCSMultiple Products
BlueSoleilCS 5
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50929
8.4
its ConnectifyServiceMultiple Products
Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50930
8.4
MachineMultiple Products
Emerson PAC Machine Edition 9
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50933
8.4
CainMultiple Products
Cain & Abel 4
CVSS Base8.4
→
CRSSelect profile
CVE-2022-50938
8.4
CONTPAQiMultiple Products
CONTPAQi AdminPAQ 14
CVSS Base8.4
→
CRSSelect profile
CVE-2023-53984
8.4
HotKeyMultiple Products
Clevo HotKey Clipboard 2
CVSS Base8.4
→
CRSSelect profile
CVE-2023-54331
8.4
OutlineMultiple Products
Outline 1
CVSS Base8.4
→
CRSSelect profile
CVE-2023-54336
8.4
MedicontaMultiple Products
Mediconta 3
CVSS Base8.4
→
CRSSelect profile
CVE-2023-54338
8.4
UnknownMultiple Products
Tftpd32 SE 4
CVSS Base8.4
→
CRSSelect profile
CVE-2025-68957
8.4
card frameworkMultiple Products
Multi-thread race condition vulnerability in the card framework module
CVSS Base8.4
→
CRSSelect profile
CVE-2025-68960
8.4
video frameworkMultiple Products
Multi-thread race condition vulnerability in the video framework module
CVSS Base8.4
→
CRSSelect profile
CVE-2025-65397
8.4
insecureMultiple Products
An insecure authentication mechanism in the safe_exec
CVSS Base8.4
→
CRSSelect profile
CVE-2026-0861
8.4
LibraryMultiple Products
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc, valloc, pvalloc) in the GNU C Library version 2
CVSS Base8.4
→
CRSSelect profile
CVE-2025-37168
8.2
ArbitraryMultiple Products
Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system
CVSS Base8.2
→
CRSSelect profile
CVE-2022-50805
8.2
ManagementMultiple Products
Senayan Library Management System 9
CVSS Base8.2
→
CRSSelect profile
CVE-2022-50892
8.2
WallpaperMultiple Products
VIAVIWEB Wallpaper Admin 1
CVSS Base8.2
→
CRSSelect profile
CVE-2022-50895
8.2
AeroMultiple Products
Aero CMS 0
CVSS Base8.2
→
CRSSelect profile
CVE-2023-54333
8.2
UnknownMultiple Products
Social-Share-Buttons 2
CVSS Base8.2
→
CRSSelect profile
CVE-2023-54340
8.2
WorkOrderMultiple Products
WorkOrder CMS 0
CVSS Base8.2
→
CRSSelect profile
CVE-2026-0877
8.1
MitigationMultiple Products
Mitigation bypass in the DOM: Security component
CVSS Base8.1
→
CRSSelect profile
CVE-2026-0878
8
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
CVSS Base8
→
CRSSelect profile
CVE-2025-68955
8
card frameworkMultiple Products
Multi-thread race condition vulnerability in the card framework module
CVSS Base8
→
CRSSelect profile
CVE-2025-68956
8
card frameworkMultiple Products
Multi-thread race condition vulnerability in the card framework module
CVSS Base8
→
CRSSelect profile
CVE-2025-68958
8
card frameworkMultiple Products
Multi-thread race condition vulnerability in the card framework module