CVE-2025-12147

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security FLS rules are improperly enforced on object-valued fields. When an FLS exclusion rule e.g., field is applied to a field which contains an object as its value, the object is correctly removed from the source returned by search...

EUVD-2025-36687

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security FLS rules are improperly enforced on object-valued fields. When an FLS exclusion rule e.g., field is applied to a field which contains an object as its value, the object is correctly removed from the source returned by search...

CVE-2025-12147

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are misapplied on object-valued fields. An FLS exclusion (for example ~field) removes the object from the _source in search results, but the object’s child attributes remain accessible to queries, enabling potential ...

CVE-2025-12147 Unauthorized access to fields protected by Field-Level Security (FLS) when those fields are members of an object

In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security FLS rules are improperly enforced on object-valued fields. When an FLS exclusion rule e.g., field is applied to a field which contains an object as its value, the object is correctly removed from the source returned by search...

PT-2025-44309

Name of the Vulnerable Software and Affected Versions Search Guard FLX versions 3.1.1 and earlier Description Field-Level Security FLS rules are not properly enforced on object-valued fields. When an FLS exclusion rule is applied to a field containing an object, the object is removed from search...

PT-2025-32597 · Maven · Org.Opensearch.Plugin:Opensearch-Security

Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security FLS rules on fields which are not at the top level of the source document tree i.e., which are members of a JSON object. If an FLS exclusion rule like object is applied to an object valued attribute in a source...

IBM SPSS ExportHTML.dll ActiveX Control Render Method Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Render method expos...

Design/Logic Flaw

Smarty before 3.0.0, when security is enabled, does not prevent access to the 1 dynamic and 2 private object members of an assigned object, which has unspecified impact and remote attack vectors...