{"vulnerability": "CVE-2026-5087", "sightings": [{"uuid": "e6f358c3-d926-455d-a467-400f04d19c05", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5087", "type": "published-proof-of-concept", "source": "Telegram/qTocgF1bA6EikMAxrpKqC2AQPtdVVaE6KT_y64KQmK5LJ1E", "content": "", "creation_timestamp": "2026-04-03T21:17:42.000000Z"}, {"uuid": "e917d1e1-b8ac-4f0d-ae1f-34801a53c85e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5087", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mieqjpuhg62p", "content": "", "creation_timestamp": "2026-03-31T17:51:54.362775Z"}, {"uuid": "6428ba37-e264-45c2-b231-c10600780afa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50879", "type": "seen", "source": "https://gist.github.com/pyuysig/807d92e6d8e7648d140d004f3b54b08b", "content": "# Vulnerability Report: CVE-2026-50879 - linx-server - Multipart upload parsed to disk before max size enforcement\n\n## Vulnerability Summary\nAndrei Marcu linx-server 2.3.8 contains a denial-of-service issue in multipart upload handling. A remote attacker can send an oversized multipart/form-data POST request to /upload/ so that the request body is parsed into temporary files before the application enforces its maxsize limit, leading to disk exhaustion.\n\n## Affected Product\n- **Vendor**: Andrei Marcu\n- **Product**: linx-server\n- **Version**: 2.3.8\n- **Vulnerable Component**: POST /upload/ multipart/form-data handling in uploadPostHandler\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error\n- **Weakness**: CWE-400\n- **Attack Conditions**: Remote oversized multipart/form-data POST request to /upload/.\n\n## Report Body\n\n### Summary\nAndrei Marcu linx-server 2.3.8 contains a denial-of-service issue in multipart upload handling. A remote attacker can send an oversized multipart/form-data POST request to /upload/ so that the request body is parsed into temporary files before the application enforces its maxsize limit, leading to disk exhaustion.\n\n### Details\nThe upload handler allows multipart parsing to materialize request data into temporary files before applying the intended application maxsize restriction.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50879.\n3. Confirm the security result: Oversized multipart requests create temporary files and consume disk before the handler rejects the request by configured size.\n\n### Impact\nRemote disk exhaustion and denial of service through oversized multipart upload requests.\n\n## Remediation\nEnforce request body limits before multipart parsing and configure the parser with strict maximum file and memory limits.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:47.000000Z"}, {"uuid": "deb4aa08-e3ba-4ce2-8e1e-8bec6509c177", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50877", "type": "seen", "source": "https://gist.github.com/pyuysig/ed896b93637aa6501e5f80def198c626", "content": "# Vulnerability Report: CVE-2026-50877 - SuperBin - Generated ZIP preserves traversal filenames\n\n## Vulnerability Summary\nZhoros SuperBin 1.0.0 contains a directory traversal issue in multi-file ZIP generation. A remote attacker can upload files with crafted traversal filenames that are preserved in the generated ZIP, causing files to be written outside the intended extraction directory when a victim extracts the archive on affected platforms.\n\n## Affected Product\n- **Vendor**: Zhoros\n- **Product**: SuperBin\n- **Version**: 1.0.0\n- **Vulnerable Component**: fileWriters.go, MultipleFileWriter multi-file upload ZIP generation\n\n## Vulnerability Details\n- **Vulnerability Type**: Directory Traversal\n- **Weakness**: CWE-22\n- **Attack Conditions**: Upload multiple files with Windows-style traversal names such as ..\\..\\.git\\hooks\\post-checkout and induce a victim to extract the generated ZIP.\n\n## Report Body\n\n### Summary\nZhoros SuperBin 1.0.0 contains a directory traversal issue in multi-file ZIP generation. A remote attacker can upload files with crafted traversal filenames that are preserved in the generated ZIP, causing files to be written outside the intended extraction directory when a victim extracts the archive on affected platforms.\n\n### Details\nThe ZIP writer preserves attacker-controlled uploaded filenames without normalizing or rejecting traversal components before creating archive entries.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50877.\n3. Confirm the security result: The generated ZIP contains entries with traversal path components. Extraction with vulnerable or permissive tools writes files outside the expected destination.\n\n### Impact\nTraversal file entries in generated ZIP archives can overwrite files during victim-side extraction; in Git working trees on Windows this can be used to plant hook files under some extraction workflows.\n\n## Remediation\nNormalize archive entry names, reject absolute paths and traversal segments, and store uploaded files under safe generated names.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:44.000000Z"}, {"uuid": "7ca49480-813f-4919-b516-7c2339dd75f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50875", "type": "seen", "source": "https://gist.github.com/pyuysig/49dbaa25ec20f2258749bdae6ebf0377", "content": "# Vulnerability Report: CVE-2026-50875 - Input - Cross-tenant webhook update and delete IDOR\n\n## Vulnerability Summary\nDeck9 Input 2.0.1 contains an incorrect access control issue in nested form webhook routes. An authenticated user can combine an attacker-controlled form identifier with a victim-owned webhook identifier in update or delete requests, leading to unauthorized modification or deletion of another tenant's webhook.\n\n## Affected Product\n- **Vendor**: Deck9\n- **Product**: Input\n- **Version**: 2.0.1\n- **Vulnerable Component**: forms/{form}/webhooks/{webhook} update/delete endpoints, FormWebhookController, FormWebhookRequest authorization path\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote authenticated request to forms/{form}/webhooks/{webhook} using mismatched form and webhook identifiers.\n\n## Report Body\n\n### Summary\nDeck9 Input 2.0.1 contains an incorrect access control issue in nested form webhook routes. An authenticated user can combine an attacker-controlled form identifier with a victim-owned webhook identifier in update or delete requests, leading to unauthorized modification or deletion of another tenant's webhook.\n\n### Details\nThe nested route authorization path does not sufficiently bind the webhook object to the parent form controlled by the requester. This allows object identifiers from different tenants to be combined in a request.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50875.\n3. Confirm the security result: An authenticated user can update or delete a webhook owned by another tenant by sending a crafted nested route request.\n\n### Impact\nUnauthorized cross-tenant webhook modification or deletion by an authenticated user.\n\n## Remediation\nAuthorize the webhook through the parent form relationship and reject requests where the webhook does not belong to the requester-controlled form.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:42.000000Z"}, {"uuid": "ed9aaed0-d953-447f-8e8f-c1cfd68169dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50874", "type": "seen", "source": "https://gist.github.com/pyuysig/7df16c08213f809592bbc7053c079aba", "content": "# Vulnerability Report: CVE-2026-50874 - Shaark - Archive feature binary path settings can lead to command injection\n\n## Vulnerability Summary\nShaark 1.2.44 contains an OS command injection issue in archive feature checks. An authenticated administrator can set archive binary settings such as node_bin or youtube_dl_bin to a shell metacharacter payload and then trigger the media or PDF feature check endpoint, leading to command execution.\n\n## Affected Product\n- **Vendor**: MarceauKa\n- **Product**: Shaark\n- **Version**: 1.2.44\n- **Vulnerable Component**: archive settings for node_bin and youtube_dl_bin, GET /api/manage/features/pdf, GET /api/manage/features/media\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Remote authenticated administrator updates archive binary settings and triggers GET /api/manage/features/pdf or GET /api/manage/features/media.\n\n## Report Body\n\n### Summary\nShaark 1.2.44 contains an OS command injection issue in archive feature checks. An authenticated administrator can set archive binary settings such as node_bin or youtube_dl_bin to a shell metacharacter payload and then trigger the media or PDF feature check endpoint, leading to command execution.\n\n### Details\nThe application stores administrator-controlled binary path settings and later invokes those values during archive feature checks. Shell metacharacters in the configured path can be interpreted by the execution path.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50874.\n3. Confirm the security result: Setting node_bin or youtube_dl_bin to a command payload and triggering the feature check causes the payload to execute.\n\n### Impact\nCommand execution by an authenticated administrator through archive feature configuration and checks.\n\n## Remediation\nTreat configured executable paths as data, validate them against trusted paths, and execute without shell interpretation.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:40.000000Z"}, {"uuid": "e343305d-49b7-42c5-96b9-fbd3f6ec46f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50873", "type": "seen", "source": "https://gist.github.com/pyuysig/ab0af5b10877fb906941e05a69b202a7", "content": "# Vulnerability Report: CVE-2026-50873 - flatnotes - Active HTML and SVG attachments can execute script in users browsers\n\n## Vulnerability Summary\nflatnotes 5.5.4 contains a cross-site scripting issue in attachment handling. A remote authenticated attacker can upload an HTML or SVG attachment and cause a victim to open the attachment URL, resulting in execution of attacker-controlled script in the victim browser context.\n\n## Affected Product\n- **Vendor**: Adam Dullage\n- **Product**: flatnotes\n- **Version**: 5.5.4\n- **Vulnerable Component**: /api/attachments, /attachments/{filename}, server/attachments/file_system/file_system.py\n\n## Vulnerability Details\n- **Vulnerability Type**: Cross Site Scripting (XSS)\n- **Weakness**: CWE-79\n- **Attack Conditions**: Upload a malicious HTML or SVG attachment through /api/attachments and induce a victim to open /attachments/{filename}.\n\n## Report Body\n\n### Summary\nflatnotes 5.5.4 contains a cross-site scripting issue in attachment handling. A remote authenticated attacker can upload an HTML or SVG attachment and cause a victim to open the attachment URL, resulting in execution of attacker-controlled script in the victim browser context.\n\n### Details\nAttachment upload and serving allow active content types to be retrievable in a way that browsers can render as HTML or SVG. Without safe Content-Type or Content-Disposition controls or content restrictions, uploaded active content can run script.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50873.\n3. Confirm the security result: A malicious HTML or SVG file uploaded as an attachment executes script when the generated attachment URL is opened by a victim.\n\n### Impact\nStored or hosted active content execution in a victim browser when the uploaded attachment URL is opened.\n\n## Remediation\nBlock active HTML/SVG attachments or serve untrusted attachments with safe content types and Content-Disposition: attachment. Apply strict CSP and content sniffing protections.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:39.000000Z"}, {"uuid": "786f6aec-79d9-4b36-a0e2-57e513bac287", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50872", "type": "seen", "source": "https://gist.github.com/pyuysig/272bf96c028ed45ad010b7c75937c914", "content": "# Vulnerability Report: CVE-2026-50872 - selfoss - Loopback trust handling can grant unintended access behind same-host proxy\n\n## Vulnerability Summary\nfossar selfoss 2.20-SNAPSHOT contains an incorrect access control issue in loopback request handling. When selfoss is deployed behind a same-host reverse proxy that forwards requests from 127.0.0.1 or ::1 without preserving the original client address, external attackers can be treated as trusted loopback clients and access privileged functionality, including SSRF through source title fetching.\n\n## Affected Product\n- **Vendor**: fossar\n- **Product**: selfoss\n- **Version**: 2.20-SNAPSHOT / 2.20 unreleased branch\n- **Vulnerable Component**: src/helpers/Authentication/AuthenticationFactory.php, src/helpers/Authentication/Services/Trust.php, POST /source, src/controllers/Sources/Write.php\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-284, CWE-918\n- **Attack Conditions**: External request through a same-host reverse proxy that forwards to selfoss from loopback without X-Forwarded-For or Forwarded headers, followed by POST /source with an attacker-controlled RSS URL.\n\n## Report Body\n\n### Summary\nfossar selfoss 2.20-SNAPSHOT contains an incorrect access control issue in loopback request handling. When selfoss is deployed behind a same-host reverse proxy that forwards requests from 127.0.0.1 or ::1 without preserving the original client address, external attackers can be treated as trusted loopback clients and access privileged functionality, including SSRF through source title fetching.\n\n### Details\nThe trust/authentication layer treats loopback-originated requests as full-access trusted requests. In same-host reverse proxy deployments that do not forward original client address metadata, external traffic reaches selfoss with a loopback source address and inherits that trust decision.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50872.\n3. Confirm the security result: A request routed through such a proxy can access protected selfoss functionality and trigger server-side fetches via POST /source.\n\n### Impact\nContext-dependent authentication bypass and follow-on SSRF through source creation/title fetching.\n\n## Remediation\nDo not grant full access solely based on loopback source address in reverse-proxy deployments. Require explicit trusted proxy configuration and authenticated sessions for sensitive endpoints.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:38.000000Z"}, {"uuid": "88d1253f-b390-45a0-ae42-9be39455bc7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50871", "type": "seen", "source": "https://gist.github.com/pyuysig/01f00b5d7575f5a776b1f132ef9ecb46", "content": "# Vulnerability Report: CVE-2026-50871 - Reminiscence - Authenticated Windows media archiving command injection\n\n## Vulnerability Summary\nkanishka-linux Reminiscence 0.3.0 contains an OS command injection issue in the Windows media archiving and export pipeline. An authenticated user can store a crafted download_manager value and then trigger media archiving or Chromium export processing, leading to command execution on Windows deployments.\n\n## Affected Product\n- **Vendor**: kanishka-linux\n- **Product**: Reminiscence\n- **Version**: 0.3.0 on Windows deployments\n- **Vulnerable Component**: pages/views.py settings update handler, UserSettings.download_manager, pages/dbaccess.py media archiving and Chromium export subprocess helpers\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Remote authenticated user stores a crafted download_manager value and triggers a media URL or export operation that reaches the Windows shell execution path.\n\n## Report Body\n\n### Summary\nkanishka-linux Reminiscence 0.3.0 contains an OS command injection issue in the Windows media archiving and export pipeline. An authenticated user can store a crafted download_manager value and then trigger media archiving or Chromium export processing, leading to command execution on Windows deployments.\n\n### Details\nThe application stores a user-controlled download_manager setting and later uses it in media archiving or export helper execution. On Windows, the execution path allows shell metacharacters in that stored value to influence command execution.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50871.\n3. Confirm the security result: A crafted download_manager value is persisted by an authenticated account and later interpreted when the application processes media archiving or export work, causing attacker-controlled command execution on Windows.\n\n### Impact\nAuthenticated command execution on affected Windows deployments.\n\n## Remediation\nDo not execute user-configurable command paths through a shell. Restrict download manager choices to trusted binaries and pass arguments as an argv array without shell interpretation.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:36.000000Z"}, {"uuid": "058cfe85-dc12-4999-a1aa-6deb9e115193", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50870", "type": "seen", "source": "https://gist.github.com/pyuysig/b15055668de5fa09d08448ce830bba10", "content": "# Vulnerability Report: CVE-2026-50870 - whoogle-search - BYOK configuration values can disclose Google Custom Search credentials\n\n## Vulnerability Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n## Affected Product\n- **Vendor**: Ben Busby\n- **Product**: whoogle-search\n- **Version**: 1.2.3\n- **Vulnerable Component**: app/models/config.py, GET /config in app/routes.py, app/templates/index.html, app/templates/header.html\n\n## Vulnerability Details\n- **Vulnerability Type**: Information Disclosure\n- **Weakness**: CWE-201\n- **Attack Conditions**: Remote request to /, /search, or GET /config on a reachable Whoogle instance with BYOK enabled.\n\n## Report Body\n\n### Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n### Details\nBYOK settings are included in configuration data that is serialized or rendered back to clients. This exposes secret configuration values to unauthenticated or unintended readers of the generated page or configuration endpoint.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50870.\n3. Confirm the security result: Requesting the affected configuration-bearing pages on a BYOK-enabled instance exposes or allows decoding of cse_api_key and cse_id values.\n\n### Impact\nDisclosure of Google Custom Search BYOK credentials configured in the Whoogle instance.\n\n## Remediation\nNever serialize or render secret BYOK values to clients. Return only non-secret metadata or masked values, and keep API keys server-side.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:35.000000Z"}, {"uuid": "329fc02f-a2bb-4c19-927e-26977291221b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50878", "type": "seen", "source": "https://gist.github.com/pyuysig/d4c2ace69162c82f1df197ce0f45d63f", "content": "# Vulnerability Report: CVE-2026-50878 - MailForm - Attachment temporary files are not cleaned up after multipart parsing\n\n## Vulnerability Summary\nFeuerhamster MailForm 1.1.0 contains a temporary file cleanup flaw in attachment handling for the /:target upload route. A remote attacker can repeatedly submit multipart/form-data requests with attachments to a reachable target, causing uploaded temporary files to persist on disk after request completion and leading to disk exhaustion and denial of service.\n\n## Affected Product\n- **Vendor**: Feuerhamster\n- **Product**: MailForm\n- **Version**: 1.1.0\n- **Vulnerable Component**: src/router.ts /:target route, Formidable parsing, src/services/email.ts attachment mapping and sendMail flow\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error\n- **Weakness**: CWE-400\n- **Attack Conditions**: Remote repeated multipart/form-data requests with attachments to a reachable /:target route.\n\n## Report Body\n\n### Summary\nFeuerhamster MailForm 1.1.0 contains a temporary file cleanup flaw in attachment handling for the /:target upload route. A remote attacker can repeatedly submit multipart/form-data requests with attachments to a reachable target, causing uploaded temporary files to persist on disk after request completion and leading to disk exhaustion and denial of service.\n\n### Details\nThe route constructs a Formidable parser and parses multipart requests into temporary files. It then passes file.filepath values into Nodemailer attachment objects. The request path does not remove those temporary files after successful or failed request handling, so repeated uploads accumulate files on disk.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50878.\n3. Confirm the security result: Repeated attachment submissions leave temporary files present after request completion and increase disk usage until service availability is affected.\n\n### Impact\nRemote disk exhaustion and denial of service on deployments that accept attachment uploads.\n\n## Remediation\nDelete Formidable temporary files after email delivery or request failure, enforce upload size and count limits, and store attachment temporary files in a bounded cleanup-managed directory.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:46.000000Z"}]}