High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| leopardhost–TNC Toolbox: Web Performance | The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the “Tnc_Wp_Toolbox_Settings::save_settings” function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment. | 2025-11-11 | 10 | CVE-2025-12539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6 |
| IBM–AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346. | 2025-11-13 | 10 | CVE-2025-36250 | https://www.ibm.com/support/pages/node/7251173 |
| SAP_SE–SQL Anywhere Monitor (Non-Gui) | SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | 2025-11-11 | 10 | CVE-2025-42890 | https://me.sap.com/notes/3666261 https://url.sap/sapsecuritypatchday |
| General Industrial Controls–Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device. | 2025-11-14 | 10 | CVE-2025-58083 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| kddiwebcommunications–WP for CPI | The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-11 | 9.8 | CVE-2025-11170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve https://wordpress.org/plugins/cpi-wp-migration/ |
| easycommerce–EasyCommerce AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin | The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.5.0. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site. | 2025-11-11 | 9.8 | CVE-2025-11457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ebe84ba-abc1-410c-b315-118746ff235a?source=cve https://wordpress.org/plugins/easycommerce/ |
| TrioFox–TrioFox | Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. | 2025-11-10 | 9.1 | CVE-2025-12480 | https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md https://www.triofox.com/ https://access.triofox.com/releases_history/ https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480 |
| pgadmin.org–pgAdmin 4 | pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | 2025-11-13 | 9.1 | CVE-2025-12762 | https://github.com/pgadmin-org/pgadmin4/issues/9320 |
| strix-bubol5–Holiday class post calendar | The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the ‘contents’ parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | 2025-11-11 | 9.8 | CVE-2025-12813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234 |
| Hundred Plus–EIP Plus | EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the ‘forgot password’ link, thereby successfully resetting any user’s password. | 2025-11-10 | 9.8 | CVE-2025-12866 | https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html |
| CyberTutor–New Site Server | New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website. | 2025-11-10 | 9.8 | CVE-2025-12868 | https://www.twcert.org.tw/tw/cp-132-10493-bf807-1.html https://www.twcert.org.tw/en/cp-139-10492-84a10-2.html |
| aEnrich–a+HRD | The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges. | 2025-11-12 | 9.8 | CVE-2025-12870 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| aEnrich–a+HRD | The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges. | 2025-11-12 | 9.8 | CVE-2025-12871 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| Avast–(Free/Premiium/Ultimeat) Antivirus | Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3 on windows allows local attacker to escalate privelages via pool overflow. | 2025-11-11 | 9.9 | CVE-2025-13032 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| D-Link–DIR-816L | A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-14 | 9.8 | CVE-2025-13188 | VDB-332476 | D-Link DIR-816L authentication.cgi authenticationcgi_main stack-based overflow VDB-332476 | CTI Indicators (IOB, IOC, IOA) Submit #685538 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(authentication.cgi).pdf https://www.dlink.com/ |
| IBM–AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques. | 2025-11-13 | 9 | CVE-2025-36096 | https://www.ibm.com/support/pages/node/7251173 |
| IBM–AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56347. | 2025-11-13 | 9.6 | CVE-2025-36251 | https://www.ibm.com/support/pages/node/7251173 |
| SAP_SE–SAP Solution Manager | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | 2025-11-11 | 9.9 | CVE-2025-42887 | https://me.sap.com/notes/3668705 https://url.sap/sapsecuritypatchday |
| Dell–Data Lakehouse | Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity. | 2025-11-12 | 9.1 | CVE-2025-46608 | https://www.dell.com/support/kbdoc/en-us/000390529/dsa-2025-375-security-update-for-dell-data-lakehouse-multiple-vulnerabilities |
| Microsoft–Microsoft Office LTSC for Mac 2021 | Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 9.8 | CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability |
| Fortinet–FortiWeb | A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | 2025-11-14 | 9.1 | CVE-2025-64446 | https://fortiguard.fortinet.com/psirt/FG-IR-25-910 |
| charmbracelet–soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability. | 2025-11-10 | 9.1 | CVE-2025-64522 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token | 2025-11-10 | 9.6 | CVE-2025-64689 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| baptisteArno–typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue. | 2025-11-13 | 9.6 | CVE-2025-64709 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr |
| Zohocorp–ManageEngine Analytics Plus | Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. | 2025-11-11 | 9.8 | CVE-2025-8324 | https://www.manageengine.com/analytics-plus/CVE-2025-8324.html |
| Siemens–Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to run arbitrary commands via the user interface. This user interface can be used via the network and allows the execution of commands as administrative application user. | 2025-11-11 | 8.8 | CVE-2024-32011 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Axis Communications AB–AXIS Optimizer | AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system. This vulnerability can only be exploited if the attacker has access to the local Windows machine and sufficient access rights (administrator) to write data into the installation path of AXIS Optimizer. | 2025-11-11 | 8.4 | CVE-2025-10714 | https://www.axis.com/dam/public/a2/c7/8c/cve-2025-10714pdf-en-US-504221.pdf |
| mvirik–Mementor Core | The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. This is due to plugin not properly handling the user switch back function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges by accessing an administrator account through the switch back functionality. | 2025-11-11 | 8.8 | CVE-2025-11168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2460e7c4-76dc-4bc3-bc06-b52df64f5353?source=cve http://plugins.trac.wordpress.org/browser/mementor-core/trunk/inc/functions.php#L1033 https://wordpress.org/plugins/mementor-core/ |
| astrasecuritysuite–Astra Security Suite Firewall & Malware Scan | The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-11 | 8.1 | CVE-2025-11521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve https://wordpress.org/plugins/getastra/ |
| chrisbadgett–LifterLMS WP LMS for eLearning, Online Courses, & Quizzes | The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user’s identity prior to allowing them to modify their own role via the REST API. The permission check in the update_item_permissions_check() function returns true when a user updates their own account without verifying the role changes. This makes it possible for authenticated attackers, with student-level access and above, to escalate their privileges to administrator by updating their own roles array via a crafted REST API request. Another endpoint intended for instructors also provides an attack vector. Affected version ranges are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, 9.1.0. | 2025-11-13 | 8.8 | CVE-2025-11923 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc13d13c-6b79-4bf1-8e77-c8cb836dc0c5?source=cve https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/server/class-llms-rest-students-controller.php#L386 https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/abstracts/class-llms-rest-users-controller.php#L721 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393703%40lifterlms%2Ftrunk&old=3388956%40lifterlms%2Ftrunk&sfp_email=&sfph_mail= |
| Premierturk Information Technologies Inc.–Excavation Management Information System | Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.This issue affects Excavation Management Information System: before v.10.2025.01. | 2025-11-11 | 8.1 | CVE-2025-11959 | https://www.usom.gov.tr/bildirim/tr-25-0388 |
| n/a–cloudinary | Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application’s behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven’t received a response. | 2025-11-10 | 8.6 | CVE-2025-12613 | https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740 https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050 https://github.com/cloudinary/cloudinary_npm/pull/709 |
| koopersmith–Elastic Theme Editor | The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-11 | 8.8 | CVE-2025-12637 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php |
| wpallimport–Import any XML, CSV or Excel File to WordPress | The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution. | 2025-11-13 | 8.8 | CVE-2025-12733 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail= |
| creativethemeshq–Blocksy Companion | The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-11 | 8.8 | CVE-2025-12846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf?source=cve https://plugins.trac.wordpress.org/changeset/3391933/blocksy-companion/trunk/framework/features/svg.php |
| e-Excellence–U-Office Force | U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-11-10 | 8.8 | CVE-2025-12864 | https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html |
| e-Excellence–U-Office Force | U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-11-10 | 8.8 | CVE-2025-12865 | https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html |
| AWS–JDBC Wrapper | An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We recommend customers upgrade to the following versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS NodeJS Wrapper to v2.0.1, AWS Python Wrapper to v1.4.0 and AWS PGSQL ODBC driver to v1.0.1 | 2025-11-10 | 8 | CVE-2025-12967 | https://aws.amazon.com/security/security-bulletins/AWS-2025-028/ https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/2.6.5 https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2025-10-17 https://github.com/aws/aws-advanced-python-wrapper/releases/tag/1.4.0 https://github.com/aws/aws-pgsql-odbc/releases/tag/1.0.1 https://github.com/aws/aws-advanced-nodejs-wrapper/releases/tag/2.0.1 https://github.com/aws/aws-advanced-python-wrapper/security/advisories/GHSA-4jvf-wx3f-2x8q https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-7xw4-g7mm-r4hh https://github.com/aws/aws-pgsql-odbc/security/advisories/GHSA-q327-fgm8-7mxf https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-7wq2-32h4-9hc9 https://github.com/aws/aws-advanced-nodejs-wrapper/security/advisories/GHSA-8wj8-cfxr-9374 |
| D-Link–DIR-816L | A vulnerability has been found in D-Link DIR-816L 2_06_b09_beta. This affects the function genacgi_main of the file gena.cgi. The manipulation of the argument SERVER_ID/HTTP_SID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13189 | VDB-332478 | D-Link DIR-816L gena.cgi genacgi_main stack-based overflow VDB-332478 | CTI Indicators (IOB, IOC, IOA) Submit #685540 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(gena.cgi).pdf https://www.dlink.com/ |
| D-Link–DIR-816L | A vulnerability was found in D-Link DIR-816L 2_06_b09_beta. This vulnerability affects the function scandir_main of the file /portal/__ajax_exporer.sgi. The manipulation of the argument en results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13190 | VDB-332479 | D-Link DIR-816L __ajax_exporer.sgi scandir_main stack-based overflow VDB-332479 | CTI Indicators (IOB, IOC, IOA) Submit #685541 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(scandir.sgi).pdf https://www.dlink.com/ |
| D-Link–DIR-816L | A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta. This issue affects the function soapcgi_main of the file /soap.cgi. This manipulation causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13191 | VDB-332480 | D-Link DIR-816L soap.cgi soapcgi_main stack-based overflow VDB-332480 | CTI Indicators (IOB, IOC, IOA) Submit #685543 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(soap.cgi).pdf https://www.dlink.com/ |
| Cisco–Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 8.8 | CVE-2025-20341 | cisco-sa-catc-priv-esc-VS8EeCuX |
| n/a–Intel(R) CIP software | Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-24299 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-24838 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| Red Hat–Cluster Observability Operator 1.3.0 | A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues. | 2025-11-12 | 8.8 | CVE-2025-2843 | RHSA-2025:21146 https://access.redhat.com/security/cve/CVE-2025-2843 RHBZ#2355222 |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 8.2 | CVE-2025-30255 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Microsoft–Nuance PowerScribe 360 version 4.0.5 | Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 8.1 | CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability |
| n/a–Intel(R) Arc(TM) B-series GPUs | Incorrect default permissions in some firmware for the Intel(R) Arc(TM) B-series GPUs within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.2 | CVE-2025-32091 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a–Intel QuickAssist Technology | Improper input validation for some Intel QuickAssist Technology before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-33000 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| NVIDIA–AuthN component of NVIDIA AIStore | NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering. | 2025-11-11 | 8.8 | CVE-2025-33186 | https://nvd.nist.gov/vuln/detail/CVE-2025-33186 https://www.cve.org/CVERecord?id=CVE-2025-33186 https://nvidia.custhelp.com/app/answers/detail/a_id/5724 |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 8.2 | CVE-2025-35971 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| IBM–AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to write arbitrary files on the system. | 2025-11-13 | 8.2 | CVE-2025-36236 | https://www.ibm.com/support/pages/node/7251173 |
| Dell–SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2025-11-12 | 8.8 | CVE-2025-46427 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| Dell–SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. | 2025-11-12 | 8.8 | CVE-2025-46428 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | 2025-11-10 | 8.8 | CVE-2025-47773 | https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3 |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | 2025-11-10 | 8.8 | CVE-2025-47932 | https://github.com/Combodo/iTop/security/advisories/GHSA-rmxq-fx69-7wg5 |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0. | 2025-11-10 | 8.5 | CVE-2025-48055 | https://github.com/Combodo/iTop/security/advisories/GHSA-684h-f39j-5gq8 |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | 2025-11-10 | 8.8 | CVE-2025-48065 | https://github.com/Combodo/iTop/security/advisories/GHSA-292c-hgcf-2g22 |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | 2025-11-10 | 8.7 | CVE-2025-49145 | https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j |
| General Industrial Controls–Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | 2025-11-14 | 8.2 | CVE-2025-55034 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Red Hat–Red Hat Enterprise Linux 10 | If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the “use_dns” setting is explicitly set to false are not affected. | 2025-11-12 | 8.6 | CVE-2025-59088 | RHSA-2025:21138 RHSA-2025:21139 RHSA-2025:21140 RHSA-2025:21141 RHSA-2025:21142 RHSA-2025:21448 https://access.redhat.com/security/cve/CVE-2025-59088 RHBZ#2393955 https://github.com/latchset/kdcproxy/pull/68 |
| Microsoft–Microsoft SQL Server 2017 (GDR) | Improper neutralization of special elements used in an sql command (‘sql injection’) in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-11-11 | 8.8 | CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| vega–vega | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties. | 2025-11-13 | 8.1 | CVE-2025-59840 | https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-62204 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft–Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation (‘cross-site scripting’) in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | 2025-11-11 | 8.7 | CVE-2025-62210 | Dynamics 365 Field Service (online) Spoofing Vulnerability |
| Microsoft–Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation (‘cross-site scripting’) in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | 2025-11-11 | 8.7 | CVE-2025-62211 | Dynamics 365 Field Service (online) Spoofing Vulnerability |
| Microsoft–Windows Subsystem for Linux GUI | Heap-based buffer overflow in Windows Subsystem for Linux GUI allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 8.8 | CVE-2025-62220 | Windows Subsystem for Linux GUI Remote Code Execution Vulnerability |
| Microsoft–Microsoft Visual Studio Code CoPilot Chat Extension | Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 8.8 | CVE-2025-62222 | Agentic AI and Visual Studio Code Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Zoom Communications Inc.–Zoom Workplace | Inefficient regular expression complexity in certain Zoom Workplace Clients before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2025-11-13 | 8.1 | CVE-2025-62484 | https://www.zoom.com/en/trust/security-bulletin/zsb-25048 |
| evervault–evervault-go | Evervault is a payment security solution. A vulnerability was identified in the `evervault-go` SDK’s attestation verification logic in versions of `evervault-go` prior to 1.3.2 that may allow incomplete documents to pass validation. This may cause the client to trust an enclave operator that does not meet expected integrity guarantees. The exploitability of this issue is limited in Evervault-hosted environments as an attacker would require the pre-requisite ability to serve requests from specific evervault domain names, following from our ACME challenge based TLS certificate acquisition pipeline. The vulnerability primarily affects applications which only check PCR8. Though the efficacy is also reduced for applications that check all PCR values, the impact is largely remediated by checking PCR 0, 1 and 2. The identified issue has been addressed in version 1.3.2 by validating attestation documents before storing in the cache, and replacing the naive equality checks with a new SatisfiedBy check. Those who useevervault-go to attest Enclaves that are hosted outside of Evervault environments and cannot upgrade have two possible workarounds available. Modify the application logic to fail verification if PCR8 is not explicitly present and non-empty and/or add custom pre-validation to reject documents that omit any required PCRs. | 2025-11-12 | 8.7 | CVE-2025-64186 | https://github.com/evervault/evervault-go/security/advisories/GHSA-88h9-77c7-p6w4 https://github.com/evervault/evervault-go/pull/48 https://github.com/evervault/evervault-go/commit/7c824d289bba11ec0bea46a338023f5b128bbb28 |
| Brightpick AI–Brightpick Mission Control / Internal Logic Control | Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques. | 2025-11-14 | 8.6 | CVE-2025-64309 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| JetBrains–ReSharper | In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation | 2025-11-10 | 8.4 | CVE-2025-64456 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| oauth2-proxy–oauth2-proxy | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don’t treat underscores and hyphens in Headers the same way. | 2025-11-10 | 8.5 | CVE-2025-64484 | https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45×6 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2 https://datatracker.ietf.org/doc/html/rfc822#section-3.2 https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx |
| pdfminer–pdfminer.six | Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue. | 2025-11-10 | 8.6 | CVE-2025-64512 | https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 https://github.com/pdfminer/pdfminer.six/releases/tag/20251107 |
| torrentpier–torrentpier | TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In versions up to and including 2.8.8, an authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can exploit this vulnerability by supplying a malicious `topic_id` (`t`) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database. Although it requires moderator privileges, it is still severe. A malicious or compromised moderator account can leverage this vulnerability to read, modify, or delete data. A patch is available at commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80. | 2025-11-10 | 8.8 | CVE-2025-64519 | https://github.com/torrentpier/torrentpier/security/advisories/GHSA-4rwr-8c3m-55f6 https://github.com/torrentpier/torrentpier/commit/6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure | 2025-11-10 | 8.1 | CVE-2025-64685 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.–Zoom Workplace for Android | Improper authorization handling in Zoom Workplace for Android before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2025-11-13 | 8.1 | CVE-2025-64741 | https://www.zoom.com/en/trust/security-bulletin/zsb-25043 |
| Fujitsu–fbiosdrv.sys | Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability. | 2025-11-12 | 8.2 | CVE-2025-65001 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-FCCL-2025-072319-Security-Notice.pdf https://hexaplex.ai |
| Optimus Software–Brokerage Automation | Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | 2025-11-14 | 8.1 | CVE-2025-8855 | https://www.usom.gov.tr/bildirim/tr-25-0396 |
| Zohocorp–ManageEngine Applications Manager | Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature. | 2025-11-11 | 8.8 | CVE-2025-9223 | https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9223.html |
| AVEVA–Edge | The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users’ app-native or Active Directory passwords through computational brute-forcing of weak hashes. | 2025-11-14 | 8.4 | CVE-2025-9317 | https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-006.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-03.json |
| zephyrproject-rtos–Zephyr | System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. | 2025-11-11 | 8.2 | CVE-2025-9408 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3r6j-5mp3-75wr |
| Siemens–Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user. | 2025-11-11 | 7.8 | CVE-2024-32008 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Siemens–Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to wrongly set permissions to a binary which allows any local attacker to gain administrative privileges. | 2025-11-11 | 7.8 | CVE-2024-32009 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Siemens–Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to extraction of database credentials via a world-readable credential file. This allows an attacker to connect to the database as privileged application user and to run system commands via the database. | 2025-11-11 | 7.8 | CVE-2024-32010 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| ceph–ceph | Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist. | 2025-11-12 | 7.5 | CVE-2024-47866 | https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8 |
| Turkguven Software Technologies Inc.–Perfektive | Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass.This issue affects Perfektive: before Version: 12574 Build: 2701. | 2025-11-11 | 7.3 | CVE-2025-10161 | https://www.usom.gov.tr/bildirim/tr-25-0387 |
| Lenovo–App Store | A potential vulnerability was reported in the Lenovo PC Manager, Lenovo App Store, Lenovo Browser, and Lenovo Legion Zone client applications that, under certain conditions, could allow an attacker on the same logical network to execute arbitrary code. | 2025-11-12 | 7.5 | CVE-2025-10495 | https://iknow.lenovo.com.cn/detail/434328 |
| Ivanti–Endpoint Manager | Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk | 2025-11-11 | 7.1 | CVE-2025-10918 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US |
| miunosoft–Auto Amazon Links Amazon Associates Affiliate Plugin | The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the ‘/wp-json/wp/v2/aal_ajax_unit_loading’ RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-11 | 7.5 | CVE-2025-11451 | https://www.wordfence.com/threat-intel/vulnerabilities/id/568254a4-400d-45ea-8a96-1669b0694d70?source=cve https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/output/_abstract/AmazonAutoLinks_UnitOutput_Base.php https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/option/template/AmazonAutoLinks_UnitOutput__TemplatePath.php |
| Autodesk–3ds Max | A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-11-12 | 7.8 | CVE-2025-11795 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0023 |
| Autodesk–3ds Max | A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-11-12 | 7.8 | CVE-2025-11797 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0023 |
| DivvyDrive Information Technologies Inc.–Digital Corporate Warehouse | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in DivvyDrive Information Technologies Inc. Digital Corporate Warehouse allows Stored XSS.This issue affects Digital Corporate Warehouse: before v.4.8.2.22. | 2025-11-12 | 7.3 | CVE-2025-11962 | https://www.usom.gov.tr/bildirim/tr-25-0393 |
| yudiz–Easy Email Subscription | The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-12 | 7.2 | CVE-2025-11994 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5bb14c1-8713-4aa1-b50a-53bed07a5f80?source=cve https://plugins.svn.wordpress.org/email-subscription-with-secure-captcha/tags/1.3/subscriber-form.php https://plugins.svn.wordpress.org/email-subscription-with-secure-captcha/tags/1.3/simple-email-subscription.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388578%40email-subscription-with-secure-captcha&new=3388578%40email-subscription-with-secure-captcha&sfp_email=&sfph_mail= |
| Lenovo–Scanner Pro | An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system. | 2025-11-12 | 7.5 | CVE-2025-12048 | https://iknow.lenovo.com.cn/detail/434326 |
| ameliabooking–Booking for Appointments and Events Calendar Amelia | The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-16 | 7.5 | CVE-2025-12482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php |
| stellarwp–Booking Calendar | Appointment Booking | Bookit | The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘/wp-json/bookit/v1/commerce/stripe/return’ REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | 2025-11-12 | 7.5 | CVE-2025-12633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2263d356-b2ed-4e16-98ee-b01d4274d1d9?source=cve https://plugins.trac.wordpress.org/changeset/3393159/bookit/tags/2.5.1/src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php?old=3121677&old_path=bookit%2Ftags%2F2.5.0%2Fsrc%2FBookit%2FGateways%2FStripeConnect%2FREST%2FReturn_Endpoint.php |
| pgadmin.org–pgAdmin 4 | pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. | 2025-11-13 | 7.5 | CVE-2025-12764 | https://github.com/pgadmin-org/pgadmin4/issues/9325 |
| pgadmin.org–pgAdmin 4 | pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. | 2025-11-13 | 7.5 | CVE-2025-12765 | https://github.com/pgadmin-org/pgadmin4/issues/9324 |
| tigroumeow–AI Engine | The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the ‘rest_simpleTranscribeAudio’ and ‘rest_simpleVisionQuery’ functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-11-13 | 7.1 | CVE-2025-12844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c39c1b72-e3e0-44fb-8fb8-602cb0aa61e3?source=cve https://github.com/jordymeow/ai-engine/blob/main/classes/modules/files.php#L237 https://github.com/jordymeow/ai-engine/blob/main/classes/api.php#L799 https://github.com/jordymeow/ai-engine/blob/main/classes/services/image.php#L43 https://github.com/jordymeow/ai-engine/blob/main/classes/engines/chatml.php#L960-L967 https://plugins.trac.wordpress.org/changeset/3392052/ |
| Hundred Plus–EIP Plus | EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-11-10 | 7.2 | CVE-2025-12867 | https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html |
| mrclayton–Payment Plugins Braintree For WooCommerce | The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions. | 2025-11-12 | 7.5 | CVE-2025-12903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23 https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35 https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41 https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392259%40woo-payment-gateway&new=3392259%40woo-payment-gateway&sfp_email=&sfph_mail= |
| otacke–SNORDIAN’s H5PxAPIkatchu | The SNORDIAN’s H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘insert_data’ AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-14 | 7.2 | CVE-2025-12904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90552d5a-6103-48c7-ad44-52ee8ecac114?source=cve https://plugins.trac.wordpress.org/changeset/3392176/h5pxapikatchu |
| rymcu–forest | A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-11-10 | 7.3 | CVE-2025-12925 | VDB-331645 | rymcu forest UserDicController.java deleteDic authorization VDB-331645 | CTI Indicators (IOB, IOC, IOA) Submit #681080 | RYMCU forest V1.0 Missing Authentication https://github.com/rymcu/forest/issues/199 |
| code-projects–Online Job Search Engine | A vulnerability was detected in code-projects Online Job Search Engine 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument username/phone results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-10 | 7.3 | CVE-2025-12928 | VDB-331648 | code-projects Online Job Search Engine login.php sql injection VDB-331648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681740 | code-projects Online Job Search Engine 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Online%20Job%20Search%20Engine.md https://github.com/lakshayyverma/CVE-Discovery/blob/main/Online%20Job%20Search%20Engine.md#proof-of-concept-poc https://code-projects.org/ |
| SourceCodester–Survey Application System | A flaw has been found in SourceCodester Survey Application System 1.0. This impacts the function save_user/update_user of the file /LoginRegistration.php. Executing manipulation of the argument fullname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. Other parameters might be affected as well. | 2025-11-10 | 7.3 | CVE-2025-12929 | VDB-331649 | SourceCodester Survey Application System LoginRegistration.php update_user sql injection VDB-331649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681746 | sourcecodester Survey Application System 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Survey%20Application%20System.md https://www.sourcecodester.com/ |
| projectworlds–Online Admission System | A vulnerability was identified in projectworlds Online Admission System 1.0. Affected by this vulnerability is an unknown functionality of the file /process_login.php. The manipulation of the argument keywords leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-10 | 7.3 | CVE-2025-12938 | VDB-331662 | projectworlds Online Admission System process_login.php sql injection VDB-331662 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682313 | Projectworlds Online Attendance System V1.0 SQL Injection https://github.com/juzidddd/CVE/issues/1 |
| Red Hat–Red Hat Advanced Cluster Management for Kubernetes 2 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker’s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls. | 2025-11-14 | 7.5 | CVE-2025-13033 | https://access.redhat.com/security/cve/CVE-2025-13033 RHBZ#2402179 https://github.com/nodemailer/nodemailer https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626 https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87 |
| ViewLead Technology–Bacteriology Laboratory Reporting System | Bacteriology Laboratory Reporting System developed by ViewLead Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-12 | 7.5 | CVE-2025-13046 | https://www.twcert.org.tw/tw/cp-132-10498-61fa4-1.html https://www.twcert.org.tw/en/cp-139-10499-15678-2.html |
| ViewLead Technology–Bacteriology Laboratory Reporting System | Bacteriology Laboratory Reporting System developed by ViewLead Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-12 | 7.5 | CVE-2025-13047 | https://www.twcert.org.tw/tw/cp-132-10498-61fa4-1.html https://www.twcert.org.tw/en/cp-139-10499-15678-2.html |
| SourceCodester–Survey Application System | A security vulnerability has been detected in SourceCodester Survey Application System 1.0. This affects an unknown function of the file /view_survey.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-12 | 7.3 | CVE-2025-13060 | VDB-332187 | SourceCodester Survey Application System view_survey.php sql injection VDB-332187 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682565 | sourcecodester Survey Application System 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Survey%20Application%20System%202%20.md https://www.sourcecodester.com/ |
| DinukaNavaratna–Dee Store | A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | 2025-11-12 | 7.3 | CVE-2025-13063 | VDB-332189 | DinukaNavaratna Dee Store authorization VDB-332189 | CTI Indicators (IOB, IOC) Submit #682708 | DinukaNavaratna Dee_Store-Simple_Online_Shopping_Website 1.0 Missing Authorization https://github.com/DinukaNavaratna/Dee_Store-Simple_Online_Shopping_Website/issues/1 |
| cameasy–Liketea | A security vulnerability has been detected in cameasy Liketea 1.0.0. Impacted is the function list of the file laravel/app/Http/Controllers/Front/StoreController.php of the component API Endpoint. Such manipulation of the argument lng/lat leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-11-13 | 7.3 | CVE-2025-13121 | VDB-332349 | cameasy Liketea API Endpoint StoreController.php list sql injection VDB-332349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683659 | liketea 1.0.0 SQL Injection https://github.com/ictrun/liketea-sql-injection/blob/main/README.md https://github.com/ictrun/liketea-sql-injection/blob/main/README.md#proof-of-concept |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. The affected element is the function getPatientAppointment of the file /php/api_patient_checkin.php. Performing manipulation of the argument appointmentID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-11-13 | 7.3 | CVE-2025-13122 | VDB-332350 | SourceCodester Patients Waiting Area Queue Management System api_patient_checkin.php getPatientAppointment sql injection VDB-332350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683789 | SourceCodester User-Management-PHP-MYSQL web v1 SQL Injection https://www.sourcecodester.com/ |
| n/a–Radarr | A vulnerability has been found in Radarr 5.28.0.10274. The affected element is an unknown function of the file C:ProgramDataRadarrbinRadarr.Console.exe of the component Service. Such manipulation leads to incorrect default permissions. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 7.8 | CVE-2025-13130 | VDB-332361 | Radarr Service Radarr.Console.exe default permission VDB-332361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683876 | Radarr 5.28.0.10274 Incorrect Default Permissions https://github.com/lakshayyverma/CVE-Discovery/blob/main/Radarr.md |
| n/a–Sonarr | A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:ProgramDataSonarrbinSonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with local access. The vendor confirms this vulnerability but classifies it as a “low severity issue due to the default service user being used as it would either require someone to intentionally change the service to a highly privileged account or an attacker would need an admin level account”. It is planned to fix this issue in the next major release v5. | 2025-11-13 | 7.8 | CVE-2025-13131 | VDB-332362 | Sonarr Service Sonarr.Console.exe default permission VDB-332362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683894 | Sonarr 4.0.15.2940 Incorrect Default Permissions https://github.com/lakshayyverma/CVE-Discovery/blob/main/Sonarr.md |
| IQ Service International–IQ-Support | IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-11-14 | 7.5 | CVE-2025-13161 | https://www.twcert.org.tw/en/cp-139-10502-11c6d-2.html https://www.twcert.org.tw/tw/cp-132-10501-a25a6-1.html |
| code-projects–Simple Online Hotel Reservation System | A security vulnerability has been detected in code-projects Simple Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /add_query_reserve.php. Such manipulation of the argument room_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-14 | 7.3 | CVE-2025-13169 | VDB-332457 | code-projects Simple Online Hotel Reservation System add_query_reserve.php sql injection VDB-332457 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684616 | code-projects Simple Online Hotel Reservation System 1.0 SQL Injection https://github.com/hanshi-798/CVE/blob/main/tmp72/report.md https://code-projects.org/ |
| code-projects–Simple Online Hotel Reservation System | A vulnerability was detected in code-projects Simple Online Hotel Reservation System 1.0. This issue affects some unknown processing of the file /admin/edit_account.php. Performing manipulation of the argument admin_id results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-14 | 7.3 | CVE-2025-13170 | VDB-332458 | code-projects Simple Online Hotel Reservation System edit_account.php sql injection VDB-332458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684617 | Code-projects SIMPLE ONLINE HOTEL RESERVATION SYSTEM 1.0 SQL Injection https://github.com/pfdlyy/CVE/issues/1 https://code-projects.org/ |
| code-projects–Simple Cafe Ordering System | A vulnerability was identified in code-projects Simple Cafe Ordering System 1.0. Affected by this issue is some unknown functionality of the file /login.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-11-15 | 7.3 | CVE-2025-13201 | VDB-332499 | code-projects Simple Cafe Ordering System login.php sql injection VDB-332499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685619 | code-projects Simple Cafe Ordering System published October 30, 2025 SQL Injection https://github.com/shenxianyuguitian/cafeorder_vuln_SQL/blob/main/README.md https://code-projects.org/ |
| code-projects–Simple Cafe Ordering System | A weakness has been identified in code-projects Simple Cafe Ordering System 1.0. This vulnerability affects unknown code of the file /addmem.php. Executing manipulation of the argument studentnum can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 7.3 | CVE-2025-13203 | VDB-332501 | code-projects Simple Cafe Ordering System addmem.php sql injection VDB-332501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686708 | Code-Projects Simple Cafe Ordering System V1.0 SQL Injection https://github.com/JasonCyberYu/SimpleCafe/issues/1 https://code-projects.org/ |
| itsourcecode–Inventory Management System | A vulnerability has been found in itsourcecode Inventory Management System 1.0. The affected element is an unknown function of the file /index.php?q=single-item. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13233 | VDB-332559 | itsourcecode Inventory Management System index.php sql injection VDB-332559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686683 | itsourcecode Inventory Management System V1.0 sql https://github.com/3169417664/cve/issues/2 https://itsourcecode.com/ |
| itsourcecode–Inventory Management System | A vulnerability was determined in itsourcecode Inventory Management System 1.0. This affects an unknown function of the file /admin/login.php. Executing manipulation of the argument user_email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 7.3 | CVE-2025-13235 | VDB-332561 | itsourcecode Inventory Management System login.php sql injection VDB-332561 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686701 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/52914/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode–Inventory Management System | A security flaw has been discovered in itsourcecode Inventory Management System 1.0. Affected is an unknown function of the file /LogSignModal.PHP. The manipulation of the argument U_USERNAME results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-16 | 7.3 | CVE-2025-13237 | VDB-332563 | itsourcecode Inventory Management System LogSignModal.PHP sql injection VDB-332563 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686734 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/57 https://itsourcecode.com/ |
| code-projects–Student Information System | A vulnerability was detected in code-projects Student Information System 2.0. This affects an unknown part of the file /searchquery.php. Performing manipulation of the argument s results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13240 | VDB-332566 | code-projects Student Information System searchquery.php sql injection VDB-332566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687522 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL12.md https://code-projects.org/ |
| code-projects–Student Information System | A flaw has been found in code-projects Student Information System 2.0. This vulnerability affects unknown code of the file /index.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-16 | 7.3 | CVE-2025-13241 | VDB-332567 | code-projects Student Information System index.php sql injection VDB-332567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687526 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL13.md https://code-projects.org/ |
| code-projects–Student Information System | A vulnerability has been found in code-projects Student Information System 2.0. This issue affects some unknown processing of the file /register.php. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13242 | VDB-332568 | code-projects Student Information System register.php sql injection VDB-332568 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687527 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL14.md https://code-projects.org/ |
| PHPGurukul–Tourism Management System | A security flaw has been discovered in PHPGurukul Tourism Management System 1.0. The affected element is an unknown function of the file /admin/user-bookings.php. The manipulation of the argument uid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-16 | 7.3 | CVE-2025-13247 | VDB-332581 | PHPGurukul Tourism Management System user-bookings.php sql injection VDB-332581 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687578 | PHPGurukul Tourism Management System in PHP with Source code V1.0 SQL Injection https://github.com/L-Bitter/CVE/issues/3 https://phpgurukul.com/ |
| SourceCodester–Patients Waiting Area Queue Management System | A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is an unknown function of the file /php/api_patient_schedule.php. This manipulation of the argument appointmentID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-16 | 7.3 | CVE-2025-13248 | VDB-332582 | SourceCodester Patients Waiting Area Queue Management System api_patient_schedule.php sql injection VDB-332582 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687580 | SourceCodester Patients Waiting Area Queue Management System 1.0 SQL Injection https://github.com/2H-K/mycve/issues/2 https://www.sourcecodester.com/ |
| shsuishang–ShopSuite ModulithShop | A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. | 2025-11-16 | 7.3 | CVE-2025-13252 | VDB-332587 | shsuishang ShopSuite ModulithShop RSA/OAuth2/Database hard-coded credentials VDB-332587 | CTI Indicators (IOB, IOC, TTP) Submit #687685 | shsuishang modulithshop v1.0.0 Hardcoded Secrets and Credentials https://github.com/shsuishang/modulithshop/issues/2 https://github.com/shsuishang/modulithshop/issues/2#issue-3580272472 |
| n/a–Intel(R) Processor Identification Utility | Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 7.8 | CVE-2025-20010 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| NVIDIA–Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | 2025-11-11 | 7.8 | CVE-2025-23357 | https://nvd.nist.gov/vuln/detail/CVE-2025-23357 https://www.cve.org/CVERecord?id=CVE-2025-23357 https://nvidia.custhelp.com/app/answers/detail/a_id/5712 |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-11 | 7.8 | CVE-2025-23361 | https://nvd.nist.gov/vuln/detail/CVE-2025-23361 https://www.cve.org/CVERecord?id=CVE-2025-23361 https://nvidia.custhelp.com/app/answers/detail/a_id/5718 |
| n/a–Intel(R) QAT Windows software | Out-of-bounds write for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 7.8 | CVE-2025-27713 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–Intel UEFI reference platforms | Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable data alteration. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts. | 2025-11-11 | 7.9 | CVE-2025-30185 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01378.html |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-33029 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection. A successful exploit of this vulnerability may lead to Code execution, Escalation of privileges, Information disclosure, and Data tampering. | 2025-11-11 | 7.8 | CVE-2025-33178 | https://nvd.nist.gov/vuln/detail/CVE-2025-33178 https://www.cve.org/CVERecord?id=CVE-2025-33178 https://nvidia.custhelp.com/app/answers/detail/a_id/5718 |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-35963 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-35967 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Siemens–Solid Edge SE2025 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | 2025-11-11 | 7.5 | CVE-2025-40744 | https://cert-portal.siemens.com/productcert/html/ssa-522291.html |
| Siemens–Altair Grid Engine | A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly validate environment variables when loading shared libraries, allowing path hijacking through malicious library substitution. This could allow a local attacker to execute arbitrary code with superuser privileges by manipulating the environment variable and placing a malicious library in the controlled path. | 2025-11-11 | 7.8 | CVE-2025-40763 | https://cert-portal.siemens.com/productcert/html/ssa-514895.html |
| Siemens–LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not properly validate the structure of TCP packets in several methods. This could allow an attacker to cause buffer overflows, get control over the instruction counter and run custom code. | 2025-11-11 | 7.2 | CVE-2025-40815 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| Siemens–LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to manipulate the devices IP address, which means the device would not be reachable. | 2025-11-11 | 7.6 | CVE-2025-40816 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| Siemens–Siemens Software Center | A vulnerability has been identified in Siemens Software Center (All versions < V3.5), Solid Edge SE2025 (All versions < V225.0 Update 10). The affected application is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system. | 2025-11-11 | 7.8 | CVE-2025-40827 | https://cert-portal.siemens.com/productcert/html/ssa-365596.html |
| Jumo–variTRON300 | A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled. | 2025-11-10 | 7.4 | CVE-2025-41731 | https://jumo.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-086.json |
| SAP_SE–SAP CommonCryptoLib | SAP CommonCryptoLib does not perform necessary boundary checks during pre-authentication parsing of manipulated ASN.1 data over the network. This may result in memory corruption followed by an application crash, hence leading to a high impact on availability. There is no impact on confidentiality or integrity. | 2025-11-11 | 7.5 | CVE-2025-42940 | https://me.sap.com/notes/3633049 https://url.sap/sapsecuritypatchday |
| Dell–Alienware Command Center | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Detection of Error Condition Without Action vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary Code Execution. | 2025-11-13 | 7.8 | CVE-2025-46367 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell–Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation. | 2025-11-13 | 7.8 | CVE-2025-46369 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell–Display and Peripheral Manager | Dell Display and Peripheral Manager, versions prior to 2.1.2.12, contains an Execution with Unnecessary Privileges vulnerability in the Installer. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2025-11-10 | 7.3 | CVE-2025-46430 | https://www.dell.com/support/kbdoc/en-us/000384546/dsa-2025-411 |
| Microsoft–Azure Monitor | Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.3 | CVE-2025-59504 | Azure Monitor Agent Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59505 | Windows Smart Card Reader Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59506 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Speech allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59507 | Windows Speech Runtime Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Speech allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59508 | Windows Speech Recognition Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59511 | Windows WLAN Service Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59512 | Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper privilege management in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59514 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59515 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability |
| General Industrial Controls–Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information. | 2025-11-14 | 7.5 | CVE-2025-59780 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Microsoft–Windows 10 Version 1809 | Untrusted pointer dereference in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60703 | Windows Remote Desktop Services Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. | 2025-11-11 | 7.5 | CVE-2025-60704 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60705 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Multimedia Class Scheduler Service (MMCSS) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Out-of-bounds read in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60709 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Improper link resolution before file access (‘link following’) in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60710 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2019 | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows OLE allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-60714 | Windows OLE Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60717 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 24H2 | Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60718 | Windows Administrator Protection Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60719 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Privilege context switching error in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60721 | Windows Administrator Protection Elevation of Privilege Vulnerability |
| Microsoft–Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 7.1 | CVE-2025-60726 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft–Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-60727 | Microsoft Excel Remote Code Execution Vulnerability |
| Adobe–InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61814 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61815 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe–InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61816 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe–InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61817 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe–InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61818 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe–Photoshop Desktop | Photoshop Desktop versions 26.8.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61819 | https://helpx.adobe.com/security/products/photoshop/apsb25-108.html |
| Adobe–Illustrator | Illustrator versions 28.7.10, 29.8.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61820 | https://helpx.adobe.com/security/products/illustrator/apsb25-109.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61824 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe–Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61826 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe–Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61827 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe–Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61828 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe–Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61829 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe–Adobe Pass | Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | 2025-11-11 | 7.1 | CVE-2025-61830 | https://helpx.adobe.com/security/products/pass/apsb25-112.html |
| Adobe–Illustrator | Illustrator versions 28.7.10, 29.8.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61831 | https://helpx.adobe.com/security/products/illustrator/apsb25-109.html |
| Adobe–InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61832 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe–Substance3D – Stager | Substance3D – Stager versions 3.1.5 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61833 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe–Substance3D – Stager | Substance3D – Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61834 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe–Substance3D – Stager | Substance3D – Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61835 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe–Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61836 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61837 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61838 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61839 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Microsoft–Microsoft Office 2016 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62200 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62201 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 7.1 | CVE-2025-62202 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft–Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62203 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62205 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62213 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability |
| Microsoft–Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62216 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62218 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Double free in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62219 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability |
| General Industrial Controls–Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow an attacker to observe network traffic to obtain sensitive information, including plaintext credentials. | 2025-11-14 | 7.5 | CVE-2025-62765 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don’t use export.php, which was deprecated. They use export-v2.php instead. | 2025-11-10 | 7.1 | CVE-2025-64167 | https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38 |
| Golemiq–0 Day Analytics | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Golemiq 0 Day Analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through 4.0.0. | 2025-11-12 | 7.6 | CVE-2025-64293 | https://vdp.patchstack.com/database/wordpress/plugin/0-day-analytics/vulnerability/wordpress-0-day-analytics-plugin-4-0-0-sql-injection-vulnerability?_s_id=cve |
| Brightpick AI–Brightpick Mission Control / Internal Logic Control | The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle. | 2025-11-14 | 7.5 | CVE-2025-64308 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| symfony–symfony | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony’s HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn’t start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`. | 2025-11-12 | 7.3 | CVE-2025-64500 | https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass |
| etaminstudio–prosemirror_to_html | ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1. | 2025-11-10 | 7.6 | CVE-2025-64501 | https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli “bombs” (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509. | 2025-11-10 | 7.5 | CVE-2025-64508 | https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v https://github.com/google/brotli/issues/1327 https://github.com/google/brotli/issues/1375 https://github.com/bugsink/bugsink/pull/266 https://github.com/google/brotli/pull/1234 https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5 https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627 https://github.com/google/brotli/releases/tag/v1.2.0 |
| bugsink–bugsink | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink 2.0.6. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-fc2v-vcwj-269v/CVE-2025-64508. | 2025-11-10 | 7.5 | CVE-2025-64509 | https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can access internal network services such as databases through Python code in the tool module, although the process runs in a sandbox. Version 2.3.1 fixes the issue. | 2025-11-13 | 7.4 | CVE-2025-64511 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9287-g7px-9rp4 |
| CycloneDX–cyclonedx-core-java | The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. | 2025-11-10 | 7.5 | CVE-2025-64518 | https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r https://github.com/CycloneDX/cyclonedx-core-java/pull/737 https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9 https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314 https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory |
| apollographql–federation | Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation’s composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline fragments, for example. A fix to versions 2.9.5, 2.10.4, 2.11.5, and 2.12.1 of composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives. Some workarounds are available. Users of Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema. Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action. | 2025-11-13 | 7.5 | CVE-2025-64530 | https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw |
| Adobe–Substance3D – Stager | Substance3D – Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-64531 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget | 2025-11-10 | 7.4 | CVE-2025-64688 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.–Zoom Workplace VDI Client | Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access. | 2025-11-13 | 7.5 | CVE-2025-64740 | https://www.zoom.com/en/trust/security-bulletin/ZSB-25042 |
| Fujitsu / Fsas Technologies–iRMC | Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters. | 2025-11-12 | 7.5 | CVE-2025-65002 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-ISS-2025-082610-Security-Notice.pdf |
| Zohocorp–ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report. | 2025-11-11 | 7.3 | CVE-2025-7429 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7429.html |
| Zohocorp–ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. | 2025-11-11 | 7.3 | CVE-2025-7430 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7430.html |
| Zohocorp–ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. | 2025-11-11 | 7.3 | CVE-2025-7632 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7632.html |
| Zohocorp–ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report. | 2025-11-11 | 7.3 | CVE-2025-7633 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7633.html |
| Lenovo–App Store | An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application. | 2025-11-12 | 7.3 | CVE-2025-8485 | https://iknow.lenovo.com.cn/detail/434329 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Dell–SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Control of Generation of Code (‘Code Injection’) vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | 2025-11-12 | 6.7 | CVE-2024-48829 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| kayapati–Angel Fashion Model Agency WordPress CMS Theme | The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option. | 2025-11-13 | 6.4 | CVE-2025-10295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab747c34-219d-40c8-a73d-5b0dffba003b?source=cve https://themeforest.net/item/angel-fashion-model-agency-wordpress-cms-theme/4251413 |
| mheob–Include Fussball.de Widgets | The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api’ and ‘type’ parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a3df32-aa07-4cc0-97ba-bb4ab64ba6b9?source=cve https://plugins.trac.wordpress.org/browser/include-fussball-de-widgets/trunk/Frontend/Fubade.php#L231 https://plugins.trac.wordpress.org/browser/include-fussball-de-widgets/trunk/Frontend/Fubade.php#L232 |
| giuse–Specific Content For Mobile Customize the mobile version without redirections | The Specific Content For Mobile – Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with COntributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-12 | 6.5 | CVE-2025-11454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed99dfd-6ca6-41e7-a844-d53eec7068c1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387807%40specific-content-for-mobile&new=3387807%40specific-content-for-mobile&sfp_email=&sfph_mail= |
| Red Hat–Red Hat build of Keycloak 26.4 | A vulnerability exists in Keycloak’s server distribution where enabling debug mode (–debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. | 2025-11-13 | 6.8 | CVE-2025-11538 | RHSA-2025:21370 RHSA-2025:21371 https://access.redhat.com/security/cve/CVE-2025-11538 RHBZ#2402622 |
| aumsrini–WordPress Content Flipper | The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bgcolor’ shortcode attribute of the ‘flipper_front’ shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-13 | 6.4 | CVE-2025-11769 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d591a6-4bbe-435b-aef6-ed176c42dca2?source=cve https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L144 https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L258 |
| doytch–Skip to Timestamp | The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘skipto’ shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the ‘time’ attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11805 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48e62d66-d058-419c-93cf-0cb890177751?source=cve https://wordpress.org/plugins/skip-to-timestamp/ https://plugins.trac.wordpress.org/browser/skip-to-timestamp/tags/1.4.4/skiptotimestamp.php#L74 |
| elvismdev–Woocommerce Products By Custom Tax | The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woo_products_custom_tax’ shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11821 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbc26607-a588-4059-9a37-afede7c9e3f6?source=cve https://wordpress.org/plugins/woocommerce-products-by-custom-tax/ https://plugins.trac.wordpress.org/browser/woocommerce-products-by-custom-tax/tags/2.2/public/class-woocommerce-products-by-custom-tax-public.php#L90 |
| virtus-designs–WP Bootstrap Tabs | The WP Bootstrap Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bootstrap_tab’ shortcode in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11822 | https://www.wordfence.com/threat-intel/vulnerabilities/id/173305ee-9c89-4192-8ccf-227947b142d1?source=cve https://wordpress.org/plugins/wp-bootstrap-tabs/ https://plugins.trac.wordpress.org/browser/wp-bootstrap-tabs/tags/1.0.4/wp-bootstrap-tabs.php#L120 |
| pubudu-malalasekara–Magazine Companion | The Magazine Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘headerHtmlTag’ attribute in the bnm-blocks/featured-posts-1 block in all versions up to, and including, 1.2.3. This is due to insufficient input sanitization and output escaping when using user-supplied values as HTML tag names. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11828 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8fa2e98b-5054-46fd-b22e-eac59b581a3c?source=cve https://wordpress.org/plugins/bnm-blocks https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.2.3/src/blocks/posts/featured-posts-1/view.php#L34 |
| five9–Five9 Live Chat | The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘toolbar’ attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11829 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28548108-a004-4aeb-a0ad-269a73a71331?source=cve https://plugins.trac.wordpress.org/browser/five9/tags/1.1.2/includes/class-widget.php#L151 |
| eventbee–Eventbee Ticketing Widget | The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eventbeeticketwidget’ shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c439193-cc7d-4e40-8585-87cb2c40fe9b?source=cve https://plugins.trac.wordpress.org/browser/eventbee-ticketing-widget/tags/1.0/ticket-widget.php#L23 |
| coenjacobs–Paypal Donation Shortcode | The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘paypal’ shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the ‘title’ and ‘text’ parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b66ab7c4-7963-424f-afec-0e52b987c6b3?source=cve https://plugins.trac.wordpress.org/browser/paypal-donation-shortcode/tags/0.1/paypal-donation-shortcode.php#L23 |
| caselock–Twitter Feed | The Twitter Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ottwitter_feed’ shortcode in all versions up to, and including, 1.3.1. This is due to the plugin not properly sanitizing user input and output of the ‘width’ and ‘height’ parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11860 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ce182e57-a9d4-4c4b-b124-e6626ccdd712?source=cve https://plugins.trac.wordpress.org/browser/ot-twitter-feed/trunk/ottwitterfeed-shortcode.php#L27 |
| mindstien–My Geo Posts Free | The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mygeo_city’ shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the ‘default’ shortcode attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11863 | https://www.wordfence.com/threat-intel/vulnerabilities/id/374a26dd-dd62-4583-8aff-90e5ae6b7468?source=cve https://plugins.trac.wordpress.org/browser/my-geo-posts-free/tags/1.2/inc/shortcodes.php#L22 |
| simonpedge–Precise Columns | The Precise Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wrap_id` shortcode attribute in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input or escaping output when inserting the wrapper ID into the generated HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11869 | https://www.wordfence.com/threat-intel/vulnerabilities/id/909afec0-7ff5-430d-814d-d75fcfcd6232?source=cve https://plugins.trac.wordpress.org/browser/precise-columns/tags/1.0/precise-columns.php#L522 |
| eflyjason–WP BBCode | The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘url’ shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11873 | https://www.wordfence.com/threat-intel/vulnerabilities/id/23623d4c-5859-48f8-b28d-3e3f15bade7d?source=cve https://plugins.trac.wordpress.org/browser/wp-bbcode/tags/1.8.1/wp-bbcode.php#L162 |
| ethoseo–Simple Donate | The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11882 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d661c24e-48f3-4b97-aa34-e46bd3907546?source=cve https://plugins.trac.wordpress.org/browser/simple-donate/tags/1.0/index.php#L237 |
| Aryom Software High Technology Systems Inc.–KVKNET | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Aryom Software High Technology Systems Inc. KVKNET allows Reflected XSS.This issue affects KVKNET: before 2.1.8. | 2025-11-11 | 6.1 | CVE-2025-11960 | https://www.usom.gov.tr/bildirim/tr-25-0386 |
| wpkube–Authors List | The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes | 2025-11-11 | 6.5 | CVE-2025-12010 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5189c1c0-2d4c-47f5-b8d9-3192a670e586?source=cve https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.6.1/includes/class-authors-list-shortcode.php#L868 https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.6.1/includes/class-authors-list-shortcode.php#L852 |
| hectavex–WP-OAuth | The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘error_description’ parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-11 | 6.1 | CVE-2025-12021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72702870-8a1a-446b-8f9f-bd435e9257f2?source=cve https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/login-google.php#L42 https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/wp-oauth.php#L430 https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/wp-oauth.php#L545 |
| supsysticcom–Data Tables Generator by Supsystic | The Data Tables Generator by Supsystic plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cleanCache() function in all versions up to, and including, 1.10.45. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-11-13 | 6.5 | CVE-2025-12089 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15e671e5-a9a6-4439-93cc-8d46fe0cde16?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394112%40data-tables-generator-by-supsystic&new=3394112%40data-tables-generator-by-supsystic&sfp_email=&sfph_mail= |
| baronen–WP-Walla | The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-11 | 6.1 | CVE-2025-12589 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ed9f7a1-54ef-4f88-b89c-756b8b646254?source=cve https://plugins.trac.wordpress.org/browser/wp-walla/tags/0.5.3.5/wpwalla_admin.php#L2 https://plugins.trac.wordpress.org/browser/wp-walla/tags/0.5.3.5/wpwalla_admin.php#L83 https://developer.wordpress.org/plugins/security/nonces/ https://developer.wordpress.org/reference/functions/esc_attr/ |
| andreaferracani–YSlider | The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses an injected page. | 2025-11-11 | 6.1 | CVE-2025-12590 | https://www.wordfence.com/threat-intel/vulnerabilities/id/79f03bfe-dd7e-47e7-9e6f-4539d26cc101?source=cve https://plugins.trac.wordpress.org/browser/yslider/tags/1.1/content-config.php#L2 https://plugins.trac.wordpress.org/browser/yslider/tags/1.1/content-config.php#L48 |
| wpcox–Nonaki Drag and Drop Email Template builder and Newsletter plugin for WordPress | The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nonaki’ shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom field values that are retrieved and rendered by the shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12644 | https://www.wordfence.com/threat-intel/vulnerabilities/id/467261ba-f41f-4e94-8941-e5b3d8392fdb?source=cve https://plugins.trac.wordpress.org/browser/nonaki-email-template-customizer/tags/1.0.11/includes/shortcode.php#L21 https://plugins.trac.wordpress.org/browser/nonaki-email-template-customizer/tags/1.0.11/includes/helper.php#L108 |
| eggemplo–Live Photos on WordPress | The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_src’, ‘img_src’, and ‘class’ parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12651 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fba3090f-2cc2-4e40-8080-ae83ba321a67?source=cve https://plugins.trac.wordpress.org/browser/live-photos/tags/0.1/core/class-livephotos-shortcodes.php#L42 |
| oscaruribe–Ungapped Widgets | The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘prefillvalues’ parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25d0921b-39b1-4abb-9197-952fc55f80e6?source=cve https://plugins.trac.wordpress.org/browser/ungapped-widgets/tags/1/ungapped-widgets-plugin.php#L38 |
| mmdeveloper–Preload Current Images | The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘complete’ parameter in the ‘preload_progress_bar’ shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12658 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b9909373-48d7-425b-a20b-bb8bf2a80e9b?source=cve https://wordpress.org/plugins/preload-current-images/ https://plugins.trac.wordpress.org/browser/preload-current-images/tags/1.3/preload-current-images.php#L31 |
| andrico–Coon Google Maps | The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in the ‘map’ shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12662 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d0eaa0-ad8f-418c-bb61-eb209ba0249b?source=cve https://wordpress.org/plugins/coon-google-maps/ https://plugins.trac.wordpress.org/browser/coon-google-maps/tags/1.0/coon-google-maps.php#L71 |
| jahed–Jeba Cute forkit | The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘text’ parameter in the ‘jeba_forkit’ shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12663 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d4aa9303-953f-4bc3-8069-8e9a967461a9?source=cve https://wordpress.org/plugins/jeba-cute-forkit/ https://plugins.trac.wordpress.org/browser/jeba-cute-forkit/tags/1.0/jeba-forkit-index.php#L58 |
| paul1999–GitHub Gist Shortcode Plugin | The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the ‘gist’ shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12667 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6468bf-37b6-4dd7-b2e5-e880e3cc3c32?source=cve https://wordpress.org/plugins/github-gist-shortcode/ https://plugins.trac.wordpress.org/browser/github-gist-shortcode/tags/0.2/github-gist-shortcode-plugin.php#L33 |
| sitedin–WP Count Down Timer | The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the ‘wp_countdown_timer’ shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12668 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bcbcad73-ce2a-4eb2-9b7f-91d47a93e16d?source=cve https://wordpress.org/plugins/wp-count-down-timer/ https://plugins.trac.wordpress.org/browser/wp-count-down-timer/tags/1.0.1/wp-count-down-timer.php#L69 |
| mrx3k1–WP-Iconics | The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the ‘wp_iconics’ shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12671 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90ec6c64-f2c6-483e-9d8b-25e65ccb4a90?source=cve https://wordpress.org/plugins/wp-iconics/ https://plugins.trac.wordpress.org/browser/wp-iconics/tags/0.0.4/wp-iconics.php#L47 |
| nuvuscripts–Flickr Show | The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘div_height’ parameter of the ‘flickrshow’ shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b792892-25dc-4df0-883d-afd0b47292e0?source=cve https://wordpress.org/plugins/wp-flickrshow/ https://plugins.trac.wordpress.org/browser/wp-flickrshow/tags/1.5/flickrshow.php#L230 |
| pritenhshah–Share to Google Classroom | The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the share_to_google shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12711 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87cc821c-21d5-49b7-9b72-030ca016efd8?source=cve https://plugins.trac.wordpress.org/browser/share-to-google-classroom/tags/1.0/share_to_google_classroom.php#L59 |
| sagortouch–Chart Expert | The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pmzez_chart’ shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8ed413a9-bf1d-4564-b740-4c92ec2c2249?source=cve https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L1 https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L95 |
| rampantlogic–Geopost | The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter of the ‘geopost’ shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12754 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4c38ca9a-895b-4d59-94c9-c7d5ba3b1b7d?source=cve https://plugins.trac.wordpress.org/browser/geopost/tags/1.2/geopost.php#L15 https://plugins.trac.wordpress.org/browser/geopost/tags/1.2/geopost.php#L20 |
| pgadmin.org–pgAdmin 4 | pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. | 2025-11-13 | 6.8 | CVE-2025-12763 | https://github.com/pgadmin-org/pgadmin4/issues/9323 |
| OpenClinica–Community Edition | A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xml_file results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-10 | 6.3 | CVE-2025-12922 | VDB-331642 | OpenClinica Community Edition CRF Data Import ImportCRFData path traversal VDB-331642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #680873 | OpenClinica OpenClinica Community Edition 3.13, Changeset 74f4df3481b6 (2017-02-28) and 3.12.2, Changeset 347dcfca3d17 (2016-11-21) Unrestricted Upload https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md#raw-requests-abridged |
| SourceCodester–Farm Management System | A weakness has been identified in SourceCodester Farm Management System 1.0. The affected element is an unknown function of the file /review.php. This manipulation of the argument pid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-11-10 | 6.3 | CVE-2025-12926 | VDB-331646 | SourceCodester Farm Management System review.php sql injection VDB-331646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681506 | SourceCodester Farm Management System v1.0 SQL injection https://github.com/R178/cve/issues/1 https://www.sourcecodester.com/ |
| SourceCodester–Food Ordering System | A vulnerability has been found in SourceCodester Food Ordering System 1.0. Affected is an unknown function of the file /view-ticket.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-10 | 6.3 | CVE-2025-12930 | VDB-331650 | SourceCodester Food Ordering System view-ticket.php sql injection VDB-331650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682185 | SOURCECODESTER Food Ordering System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/1 https://www.sourcecodester.com/ |
| SourceCodester–Food Ordering System | A vulnerability was found in SourceCodester Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/edit-orders.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-11-10 | 6.3 | CVE-2025-12931 | VDB-331651 | SourceCodester Food Ordering System edit-orders.php sql injection VDB-331651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682234 | SourceCodester Food Ordering System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/5 https://www.sourcecodester.com/ |
| SourceCodester–Baby Care System | A vulnerability was identified in SourceCodester Baby Care System 1.0. This affects an unknown part of the file /updatewelcome.php?id=siteoptions&action=welcome. Such manipulation of the argument roleid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-10 | 6.3 | CVE-2025-12933 | VDB-331653 | SourceCodester Baby Care System updatewelcome.php sql injection VDB-331653 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682276 | SourceCodester Baby Care System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/8 https://www.sourcecodester.com/ |
| SourceCodester–Interview Management System | A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-10 | 6.3 | CVE-2025-12939 | VDB-331663 | SourceCodester Interview Management System addCandidate.php sql injection VDB-331663 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682314 | SourceCodester Interview Management System V1.0 Information Disclosure + Input Validation https://github.com/puppytgyh/-CVE/issues/10 https://www.sourcecodester.com/ |
| Campcodes–School Fees Payment Management System | A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_student. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-11-12 | 6.3 | CVE-2025-13057 | VDB-332184 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332184 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682367 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/QingqingOK/CVE/issues/1 https://www.campcodes.com/ |
| SourceCodester–Alumni Management System | A weakness has been identified in SourceCodester Alumni Management System 1.0. The impacted element is an unknown function of the file /manage_career.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-11-12 | 6.3 | CVE-2025-13059 | VDB-332186 | SourceCodester Alumni Management System manage_career.php sql injection VDB-332186 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682548 | Sourcecodester Alumni Management System 1.0 SQL Injection https://github.com/CaseyW33/CVE/issues/1 https://www.sourcecodester.com/ |
| itsourcecode–Online Voting System | A vulnerability was detected in itsourcecode Online Voting System 1.0. This impacts an unknown function of the file /index.php?page=manage_voting. Performing manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-12 | 6.3 | CVE-2025-13061 | VDB-332188 | itsourcecode Online Voting System index.php unrestricted upload VDB-332188 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682587 | itsourcecode Online Voting System V1.0 Arbitrary File Upload Vulnerability https://github.com/yihaofuweng/cve/issues/55 https://itsourcecode.com/ |
| macrozheng–mall-swarm | A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13114 | VDB-332319 | macrozheng mall-swarm attr updateAttr improper authorization VDB-332319 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683221 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/5 |
| macrozheng–mall-swarm | A vulnerability was detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this issue is the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderID results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13118 | VDB-332323 | macrozheng mall-swarm/mall paySuccess improper authorization VDB-332323 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683345 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686531 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/9 https://github.com/Hwwg/cve/issues/14 |
| AMTT–Hotel Broadband Operation System | A flaw has been found in AMTT Hotel Broadband Operation System 1.0. The impacted element is an unknown function of the file /user/portal/get_firstdate.php. Executing manipulation of the argument uid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13123 | VDB-332351 | AMTT Hotel Broadband Operation System get_firstdate.php sql injection VDB-332351 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683824 | Anmei Century (Beijing) Technology Co., Ltd. Anmei Digital Hotel Broadband Operation System v1.0 SQL Injection https://github.com/R178/cve/issues/2 |
| ury-erp–ury | A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overrided_past_order_list of the file ury/ury/api/pos_extend.py. This manipulation of the argument search_term causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. Upgrading to version 0.2.1 is able to mitigate this issue. Patch name: 063384e0dddfd191847cd2d6524c342cc380b058. It is suggested to upgrade the affected component. The vendor replied and reacted very professional. | 2025-11-14 | 6.3 | CVE-2025-13168 | VDB-332456 | ury-erp ury pos_extend.py overrided_past_order_list sql injection VDB-332456 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683984 | ury-erp ury 0.2.0 SQL Injection https://github.com/ictrun/ury-vulns/blob/main/README.md https://github.com/ictrun/ury-vulns/blob/main/README.md#verification-steps https://github.com/ury-erp/ury/commit/063384e0dddfd191847cd2d6524c342cc380b058 https://github.com/ury-erp/ury/releases/tag/v0.2.1 |
| n/a–ZZCMS | A vulnerability was identified in ZZCMS 2023. This impacts an unknown function of the file /admin/wangkan_list.php. Such manipulation of the argument keyword leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-14 | 6.3 | CVE-2025-13171 | VDB-332463 | ZZCMS wangkan_list.php sql injection VDB-332463 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684765 | zzcms 2023 SQL Injection https://github.com/En0t5/vul/blob/main/zzcms/zzcms-sql-inject2.md https://github.com/En0t5/vul/blob/main/zzcms/zzcms-sql-inject2.md#poc |
| CodeAstro–Gym Management System | A security flaw has been discovered in CodeAstro Gym Management System 1.0. Affected is an unknown function of the file /admin/view-member-report.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-14 | 6.3 | CVE-2025-13172 | VDB-332464 | CodeAstro Gym Management System view-member-report.php sql injection VDB-332464 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684785 | codeastro Gym Management System V1.0 SQL Injection https://github.com/Bixintiao/cve/issues/1 https://codeastro.com/ |
| rachelos–WeRSS we-mp-rss | A weakness has been identified in rachelos WeRSS we-mp-rss up to 1.4.7. Affected by this vulnerability is the function do_job of the file /rachelos/we-mp-rss/blob/main/jobs/mps.py of the component Webhook Module. Executing manipulation of the argument web_hook_url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-11-14 | 6.3 | CVE-2025-13174 | VDB-332465 | rachelos WeRSS we-mp-rss Webhook mps.py do_job server-side request forgery VDB-332465 | CTI Indicators (IOB, IOC, IOA) Submit #684803 | rachelos WeRSS WeRSS<=1.4.7 Server-Side Request Forgery https://www.notion.so/SSRF-vulnerability-in-WeRSS-WebHook-module-29bea92a3c4180a192b5caa9078bfb18 |
| FantasticLBP–Hotels Server | A security flaw has been discovered in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. The impacted element is an unknown function of the file controller/api/hotelList.php. The manipulation of the argument subjectId/cityName results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-15 | 6.3 | CVE-2025-13208 | VDB-332527 | FantasticLBP Hotels Server hotelList.php sql injection VDB-332527 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685620 | FantasticLBP Hotels_Server V1.0(Current release) SQL Injection Submit #685622 | FantasticLBP Hotels_Server V1.0(Current release) SQL Injection (Duplicate) https://github.com/naixiao/CVE/issues/1 https://github.com/naixiao/CVE/issues/2 |
| bestfeng–oa_git_free | A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5serverc-flowsrcmainjavacomcloudweboacontrollerWorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 6.3 | CVE-2025-13209 | VDB-332528 | bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference VDB-332528 | CTI Indicators (IOB, IOC, IOA) Submit #685626 | https://gitee.com/bestfeng/oa_git_free oa_git_free 8.0 XML external entity injection https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md |
| itsourcecode–Inventory Management System | A vulnerability was found in itsourcecode Inventory Management System 1.0. The impacted element is an unknown function of the file /index.php?q=product. Performing manipulation of the argument PROID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2025-11-16 | 6.3 | CVE-2025-13234 | VDB-332560 | itsourcecode Inventory Management System index.php sql injection VDB-332560 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686698 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/pip-in-head/lulucat-VD/issues/1 https://itsourcecode.com/ |
| itsourcecode–Inventory Management System | A vulnerability was identified in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-16 | 6.3 | CVE-2025-13236 | VDB-332562 | itsourcecode Inventory Management System index.php sql injection VDB-332562 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686702 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/3169417664/cve/issues/3 https://itsourcecode.com/ |
| Bdtask–Flight Booking Software | A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-16 | 6.3 | CVE-2025-13238 | VDB-332564 | Bdtask Flight Booking Software Edit Profile edit unrestricted upload VDB-332564 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686895 | Bdtask Bdtask Flight Booking Software B2B Portal v4 Unrestricted File Upload https://github.com/4m3rr0r/PoCVulDb/issues/6 |
| code-projects–Student Information System | A vulnerability was found in code-projects Student Information System 2.0. Impacted is an unknown function of the file /editprofile.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-11-16 | 6.3 | CVE-2025-13243 | VDB-332569 | code-projects Student Information System editprofile.php sql injection VDB-332569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687528 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL15.md https://code-projects.org/ |
| shsuishang–ShopSuite ModulithShop | A vulnerability was identified in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Impacted is the function JwtAuthenticationFilter of the file src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-11-16 | 6.3 | CVE-2025-13246 | VDB-332580 | shsuishang ShopSuite ModulithShop JwtAuthenticationFilter.java JwtAuthenticationFilter path traversal VDB-332580 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687532 | shsuishang modulithshop 1.0.0 Privilege Escalation https://github.com/shsuishang/modulithshop/issues/1 |
| Jiusi–OA | A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-16 | 6.3 | CVE-2025-13249 | VDB-332583 | Jiusi OA OfficeServer unrestricted upload VDB-332583 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687599 | http://www.jiusi.net/ jiusiOA n/a Arbitrary file upload vulnerability https://github.com/rooboot501/my-project/blob/main/jiousi.md |
| WeiYe-Jing–datax-web | A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-16 | 6.3 | CVE-2025-13250 | VDB-332584 | WeiYe-Jing datax-web Job triggerJob access control VDB-332584 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687604 | WeiYe-Jing DataX-Web <= 2.1.2 Broken Access Control / Horizontal Privilege Escalation https://github.com/Xzzz111/exps/blob/main/archives/datax-web-broken-access-control-1/report.md |
| WeiYe-Jing–datax-web | A flaw has been found in WeiYe-Jing datax-web up to 2.1.2. Affected is an unknown function. Executing manipulation can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-16 | 6.3 | CVE-2025-13251 | VDB-332585 | WeiYe-Jing datax-web sql injection VDB-332585 | CTI Indicators (IOB, IOC, TTP) Submit #687606 | WeiYe-Jing DataX-Web <= 2.1.2 SQL Injection https://github.com/Xzzz111/exps/blob/main/archives/datax-web-sql-injection-1/report.md |
| projectworlds–Advanced Library Management System | A vulnerability was determined in projectworlds Advanced Library Management System 1.0. This affects an unknown part of the file /add_librarian.php. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 6.3 | CVE-2025-13253 | VDB-332588 | projectworlds Advanced Library Management System add_librarian.php sql injection VDB-332588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687853 | projectworlds Advanced Library Management System 1.0 SQL Injection Submit #688779 | projectworlds Advanced Library Management System 1.0 SQL Injection (Duplicate) https://github.com/Wyg2002yx/cve/blob/main/001/report.md |
| n/a–Intel(R) CIP software | Uncontrolled search path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20050 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Display Virtualization for Windows OS software | Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20065 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01303.html |
| Cisco–Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. This vulnerability is due to insufficient validation of user-supplied input in REST API request parameters. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to inject arbitrary commands that would then be executed in a restricted container with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 6.3 | CVE-2025-20349 | cisco-sa-dnac-ci-ZWLQVSwT |
| Cisco–Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | 2025-11-13 | 6.1 | CVE-2025-20353 | cisco-sa-dnac-xss-weXtVZ59 |
| n/a–Intel(R) CIP software | External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20614 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–SigTest | Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-22391 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01327.html |
| n/a–Intel(R) Rapid Storage Technology Application | Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24327 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01362.html |
| n/a–Intel(R) Killer(TM) Performance Suite software | Uncontrolled search path for some Intel(R) Killer(TM) Performance Suite software before version killer 4.0 40.25.509.1465 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24491 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01377.html |
| n/a–Intel(R) QAT Windows software | Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24519 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–Intel(R) CIP software | Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24834 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) System Support Utility | Uncontrolled search path for the Intel(R) System Support Utility before version 4.1.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24842 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01360.html |
| n/a–Intel(R) CIP software | Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.3 | CVE-2025-24848 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24863 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software | Improper link resolution before file access (‘link following’) for some Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24918 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01400.html |
| n/a–Intel(R) One Boot Flash Update (Intel(R) OFU) software | Uncontrolled search path for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-25059 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01331.html |
| n/a–Intel(R) NPU Drivers | Protection mechanism failure for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-26402 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a–Intel(R) Processor Identification Utility | Incorrect default permissions for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-27246 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| n/a–Intel(R) QAT Windows software | Untrusted pointer dereference for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an information disclosure. System software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-27710 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–Intel(R) One Boot Flash Update (Intel(R) OFU) software | Incorrect default permissions for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-27711 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01331.html |
| n/a–Intel(R) Distribution for Python software installers | Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30182 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01382.html |
| n/a–Intel Driver and Support Assistant | Uncontrolled search path for some Intel Driver and Support Assistant before version 25.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30506 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01361.html |
| n/a–Intel(R) PresentMon | Incorrect default permissions for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30518 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01392.html |
| Zoom Communications Inc.–Zoom Workplace VDI Plugin macOS Universal installer | Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 6.6 | CVE-2025-30662 | https://www.zoom.com/en/trust/security-bulletin/zsb-25045 |
| n/a–Intel Ethernet Adapter Complete Driver Pack software | Time-of-check time-of-use race condition for some Intel Ethernet Adapter Complete Driver Pack software before version 1.5.1.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.1 | CVE-2025-31146 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01376.html |
| n/a–System Event Log Viewer Utility software | Uncontrolled search path for some System Event Log Viewer Utility software for all versions within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31645 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01380.html |
| n/a–Intel(R) Graphics Software | Uncontrolled search path for some Intel(R) Graphics Software before version 25.22.1502.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31647 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a–Instrumentation and Tracing Technology API (ITT API) software | Uncontrolled search path for the Instrumentation and Tracing Technology API (ITT API) software before version 3.25.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31931 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01337.html |
| n/a–Intel(R) Thread Director Visualizer software | Incorrect default permissions for some Intel(R) Thread Director Visualizer software before version 1.1.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31940 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01375.html |
| n/a–Intel(R) Processor Identification Utility | Uncontrolled search path for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32001 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| n/a–Intel oneAPI DPC++C++ Compiler software | Uncontrolled search path for some FPGA Support Package for the Intel oneAPI DPC++C++ Compiler software before version 2025.0.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32038 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01364.html |
| n/a–Intel QuickAssist Technology software | Untrusted pointer dereference for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-32446 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–PRI Driver software | Unquoted search path for some PRI Driver software before version 03.03.1002 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32449 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01394.html |
| n/a–Intel(R) QAT Windows software | Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.6 | CVE-2025-32732 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| IBM–QRadar Security Information and Event Management | IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user. | 2025-11-12 | 6.5 | CVE-2025-33119 | https://www.ibm.com/support/pages/node/7250932 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where an attacker could cause a stack overflow by sending extra-large payloads. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-11 | 6.5 | CVE-2025-33202 | https://nvd.nist.gov/vuln/detail/CVE-2025-33202 https://www.cve.org/CVERecord?id=CVE-2025-33202 https://nvidia.custhelp.com/app/answers/detail/a_id/5723 |
| n/a–Slim Bootloader | Protection mechanism failure in the UEFI firmware for the Slim Bootloader within firmware may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.4 | CVE-2025-35968 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01395.html |
| n/a–Intel MPI Library | Uncontrolled search path for the Intel MPI Library before version 2021.16 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-35972 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01386.html |
| Siemens–LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to change time of the device, which means the device could behave differently. | 2025-11-11 | 6.5 | CVE-2025-40817 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| SAP_SE–SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability. | 2025-11-11 | 6.5 | CVE-2025-42884 | https://me.sap.com/notes/3660969 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business Connector | Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim accesses this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim’s browser context. This could allow the attacker to access or modify information within the victim�s browser scope, impacting confidentiality and integrity, while availability remains unaffected | 2025-11-11 | 6.1 | CVE-2025-42886 | https://me.sap.com/notes/3665907 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business Connector | Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2025-11-11 | 6.8 | CVE-2025-42892 | https://me.sap.com/notes/3665900 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business Connector | Due to an Open Redirect vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site displayed within an embedded frame. Successful exploitation could allow the attacker to steal sensitive information and perform unauthorized actions, impacting the confidentiality and integrity of web client data. There is no impact to system availability resulting from this vulnerability. | 2025-11-11 | 6.1 | CVE-2025-42893 | https://me.sap.com/notes/3662000 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business Connector | Due to a Path Traversal vulnerability in SAP Business Connector, an attacker authenticated as an administrator with adjacent access could read, write, overwrite, and delete arbitrary files on the host system. Successful exploitation could enable the attacker to execute arbitrary operating system commands on the server, resulting in a complete compromise of the confidentiality, integrity, and availability of the affected system. | 2025-11-11 | 6.8 | CVE-2025-42894 | https://me.sap.com/notes/3666038 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP HANA JDBC Client | Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application. | 2025-11-11 | 6.9 | CVE-2025-42895 | https://me.sap.com/notes/3643385 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP S/4HANA landscape (SAP E-Recruiting BSP) | SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on availability. | 2025-11-11 | 6.1 | CVE-2025-42924 | https://me.sap.com/notes/3642398 https://url.sap/sapsecuritypatchday |
| Qualys Inc–Qualys Agent | The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges. | 2025-11-10 | 6.3 | CVE-2025-43079 | https://www.qualys.com/security-advisories/cve-2025-43079 |
| Dell–Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2025-11-13 | 6.6 | CVE-2025-46362 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell–Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2025-11-13 | 6.6 | CVE-2025-46368 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Axis Communications AB–AXIS OS | An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-4645 | https://www.axis.com/dam/public/69/47/ff/cve-2025-4645pdf-en-US-504211.pdf |
| Microsoft–Microsoft Configuration Manager | Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 6.7 | CVE-2025-47179 | Configuration Manager Elevation of Privilege Vulnerability |
| Axis Communications AB–AXIS OS | A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.6 | CVE-2025-5452 | https://www.axis.com/dam/public/39/ba/8b/cve-2025-5452pdf-en-US-504212.pdf |
| Axis Communications AB–AXIS OS | An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.4 | CVE-2025-5454 | https://www.axis.com/dam/public/48/ab/82/cve-2025-5454pdf-en-US-504213.pdf |
| Mattermost–Mattermost | Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events | 2025-11-14 | 6.5 | CVE-2025-55070 | https://mattermost.com/security-updates |
| Axis Communications AB–AXIS OS | The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.8 | CVE-2025-5718 | https://www.axis.com/dam/public/3c/a4/6a/cve-2025-5718pdf-en-US-504214.pdf |
| Mattermost–Mattermost | Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses | 2025-11-13 | 6.1 | CVE-2025-59480 | https://mattermost.com/security-updates |
| Microsoft–Windows 10 Version 1809 | Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally. | 2025-11-11 | 6.5 | CVE-2025-60708 | Storvsp.sys Driver Denial of Service Vulnerability |
| Microsoft–OneDrive for Android | Improper limitation of a pathname to a restricted directory (‘path traversal’) in OneDrive for Android allows an authorized attacker to elevate privileges over a network. | 2025-11-11 | 6.5 | CVE-2025-60722 | Microsoft OneDrive for Android Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows DirectX allows an authorized attacker to deny service over a network. | 2025-11-11 | 6.3 | CVE-2025-60723 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft–Microsoft Dynamics 365 (on-premises) version 9.1 | Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 6.5 | CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| Microsoft–Microsoft Visual Studio 2022 version 17.14 | Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an authorized attacker to execute code locally. | 2025-11-11 | 6.7 | CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability |
| Microsoft–Microsoft Visual Studio Code CoPilot Chat Extension | Improper limitation of a pathname to a restricted directory (‘path traversal’) in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally. | 2025-11-11 | 6.8 | CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability |
| Axis Communications AB–AXIS OS | ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-6298 | https://www.axis.com/dam/public/ef/91/c3/cve-2025-6298pdf-en-US-504215.pdf |
| Brightpick AI–Brightpick Mission Control / Internal Logic Control | The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes. | 2025-11-14 | 6.5 | CVE-2025-64307 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| withastro–astro | Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch. | 2025-11-13 | 6.5 | CVE-2025-64525 | https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767 https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4 https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121 https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97 |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue. | 2025-11-13 | 6.3 | CVE-2025-64703 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-qwvm-x4xh-g2qq |
| directus–directus | Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue. | 2025-11-13 | 6.5 | CVE-2025-64748 | https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204 |
| gristlabs–grist-core | grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials. | 2025-11-13 | 6.8 | CVE-2025-64752 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3 https://github.com/gristlabs/grist-core/releases/tag/v1.7.7 |
| Axis Communications AB–AXIS OS | A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it. | 2025-11-11 | 6 | CVE-2025-6571 | https://www.axis.com/dam/public/1f/f8/f0/cve-2025-6571pdf-en-US-504216.pdf |
| Axis Communications AB–AXIS OS | An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-6779 | https://www.axis.com/dam/public/92/9a/13/cve-2025-6779pdf-en-US-504217.pdf |
| Axis Communications AB–AXIS OS | An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-8108 | https://www.axis.com/dam/public/38/20/aa/cve-2025-8108pdf-en-US-504218.pdf |
| AVEVA–Application Server | The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of “aaConfigTools”) to tamper with App Objects’ help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected. | 2025-11-14 | 6.9 | CVE-2025-8386 | https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin-AVEVA-2025-005.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-02.json |
| restpack–Save as PDF Button | The Save as PDF Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s restpackpdfbutton shortcode in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-13 | 6.4 | CVE-2025-8397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c648fca-c36f-41a0-9d29-3f669f3669d9?source=cve https://plugins.svn.wordpress.org/save-as-pdf/trunk/save-as-pdf.php https://wordpress.org/plugins/save-as-pdf/#developers |
| Lenovo–Dock Manager | An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges. | 2025-11-12 | 6.6 | CVE-2025-8421 | https://support.lenovo.com/us/en/product_security/LEN-198729 |
| wedevs–Project Management & Task Manager with Kanban Board & Gantt Chart WP Project Manager | The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More – WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘completed_at_operator’ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-15 | 6.5 | CVE-2025-8994 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74984cc6-06b1-4c3a-a3e6-9e104c71e9c5?source=cve https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.24/src/Task/Helper/Task.php#L1484 https://plugins.trac.wordpress.org/changeset/3386164/ |
| Axis Communications AB–AXIS OS | The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account. | 2025-11-11 | 6.4 | CVE-2025-9055 | https://www.axis.com/dam/public/23/a3/00/cve-2025-9055pdf-en-US-504219.pdf |
| Zohocorp–ManageEngine OpManager | Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor. | 2025-11-11 | 6.5 | CVE-2025-9227 | https://www.manageengine.com/itom/advisory/cve-2025-9227.html |
| mintty–mintty | Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim’s machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue. | 2025-11-12 | 5.3 | CVE-2024-45301 | https://github.com/mintty/mintty/security/advisories/GHSA-jf4m-m6rv-p6c5 |
| benmoody–WP Headless CMS Framework | The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to. | 2025-11-13 | 5.3 | CVE-2025-11260 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6a99806-cb8f-4c12-86ed-2cdbb45ba873?source=cve https://wordpress.org/plugins/wp-rest-headless/ |
| softivus–Wisly | The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the ‘wishlist_id’ user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user’s wishlists. | 2025-11-11 | 5.3 | CVE-2025-11532 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve https://wordpress.org/plugins/wisly/ |
| mitegvg–Slippy Slider Responsive Touch Navigation Slider | The Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘slippy-slider’ shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 5.4 | CVE-2025-11874 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21b6748a-43fb-4326-ac1f-d3ae2a6700f2?source=cve https://plugins.trac.wordpress.org/browser/slippy-slider-responsive-touch-navigation-slider/tags/2.0/slippy-slider.php#L46 |
| shelfplanner–Shelf Planner | The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | 2025-11-11 | 5.3 | CVE-2025-11891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17f17cae-f444-4fa1-9090-ec6ea267ef2e?source=cve https://wordpress.org/plugins/shelf-planner/ |
| shelfplanner–Shelf Planner | The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to modify several of the plugin’s settings like the ServerKey and LicenseKey. | 2025-11-11 | 5.3 | CVE-2025-11894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/107031b3-5071-490a-a8f7-060212b1724c?source=cve https://wordpress.org/plugins/shelf-planner/ |
| odude–Crypto Tool | The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin’s custom_users table. | 2025-11-11 | 5.3 | CVE-2025-11986 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95 |
| odude–Crypto Tool | The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts. | 2025-11-11 | 5.3 | CVE-2025-11988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3281d6eb-9f14-43d4-a4d4-532993039e53?source=cve https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L137 |
| toastwebsites–Find Unused Images | The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site’s attachments. | 2025-11-11 | 5.3 | CVE-2025-11996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44 https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53 https://wordpress.org/plugins/find-unused-images/ |
| ngothoai–Document Pro Elementor Documentation & Knowledge Base | The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service. | 2025-11-11 | 5.3 | CVE-2025-11997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ac7455a-0c89-4f5b-84eb-b7cc87bce8d4?source=cve https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L85 https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L71 |
| krishaweb–Add Multiple Marker | The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps. | 2025-11-11 | 5.3 | CVE-2025-11999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php https://tinyurl.com/2bcmmpxb |
| Lenovo–Scanner Pro | A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the application. | 2025-11-12 | 5.3 | CVE-2025-12047 | https://iknow.lenovo.com.cn/detail/434327 |
| ryanmoyer–The Total Book Project | The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them. | 2025-11-11 | 5.4 | CVE-2025-12126 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve https://wordpress.org/plugins/the-total-book-project/ |
| smub–Gallery Plugin for WordPress Envira Photo Gallery | The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0. | 2025-11-13 | 5.3 | CVE-2025-12377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/69a0d985-cc85-45ba-889d-1ed30d06f9ce?source=cve https://drive.google.com/file/d/1AgsJeff1x4pQAFVGmoSwwU75iiH4-H_p/view?usp=sharing https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/admin/ajax.php https://research.cleantalk.org/cve-2025-12377/ https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/admin/ajax.php?old=3133202&old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fadmin%2Fajax.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394455%40envira-gallery-lite&old=3387243%40envira-gallery-lite&sfp_email=&sfph_mail= |
| brainstormforce–SureForms Contact Form, Custom Form Builder, Calculator & More | The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the ‘_srfm_email_notification’ post meta registration. This is due to setting the ‘auth_callback’ parameter to ‘__return_true’, which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems. | 2025-11-13 | 5.3 | CVE-2025-12536 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892 https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php |
| loveless–RandomQuotr | The RandomQuotr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 5.5 | CVE-2025-12632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/42308a6e-cb04-42dc-90b0-9b40c264ad53?source=cve https://it.wordpress.org/plugins/randomquotr/ |
| ronalfy–Comment Edit Core Simple Comment Editing | The Comment Edit Core – Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the ‘ajax_get_comment’ function. This makes it possible for unauthenticated attackers to extract sensitive data including user IDs, IP addresses, and email addresses. | 2025-11-13 | 5.3 | CVE-2025-12681 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4f954b02-b636-438b-a4b1-9b74df153c47?source=cve https://plugins.trac.wordpress.org/browser/simple-comment-editing/trunk/includes/Ajax.php#L230 https://plugins.trac.wordpress.org/changeset/3392054/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition. | 2025-11-11 | 5.5 | CVE-2025-12748 | https://access.redhat.com/security/cve/CVE-2025-12748 RHBZ#2413801 |
| themefic–Hydra Booking Appointment Scheduling & Booking Calendar | The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin’s “tfhb_meeting_form_submit_callback” function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint. | 2025-11-11 | 5.3 | CVE-2025-12787 | https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03?source=cve https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php |
| themefic–Hydra Booking Appointment Scheduling & Booking Calendar | The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal’s API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring. | 2025-11-11 | 5.3 | CVE-2025-12788 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49ce4a2-52ad-4824-86fc-5edd2e33802d?source=cve https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php |
| n/a–PostgreSQL | Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | 2025-11-13 | 5.9 | CVE-2025-12818 | https://www.postgresql.org/support/security/CVE-2025-12818/ |
| contest-gallery–Contest Gallery Upload, Vote & Sell with PayPal and Stripe | The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files. | 2025-11-15 | 5.3 | CVE-2025-12849 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e000c4ad-43ec-4ad0-89f9-74e9e6d8b917?source=cve https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L42 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L47 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L64 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L15 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L173 https://wordpress.org/plugins/contest-gallery/#developers |
| aEnrich–a+HRD | The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tricked into visiting a specific URL. | 2025-11-12 | 5.4 | CVE-2025-12872 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| jobayer534–Progress Bar Blocks for Gutenberg | The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-11 | 5.4 | CVE-2025-12880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3bc48d4d-eeee-47f7-be5e-0d6a43473aa0?source=cve https://wordpress.org/plugins/progressmatify-blocks/ |
| ays-pro–Survey Maker | The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘ays_survey_show_results’ AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions. | 2025-11-13 | 5.3 | CVE-2025-12891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php |
| ays-pro–Survey Maker | The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the ays_survey_maker_upgrade_plugin option. | 2025-11-13 | 5.3 | CVE-2025-12892 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6abc7605-2daa-44a9-8f2f-cbaacbea9348?source=cve https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php |
| uscnanbu–Welcart e-Commerce | The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘usces_export’ action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store. | 2025-11-13 | 5.3 | CVE-2025-12979 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26255cd9-2361-4d17-8d1b-9bdadcc69043?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394001%40usc-e-shop&new=3394001%40usc-e-shop&sfp_email=&sfph_mail= |
| macrozheng–mall-swarm | A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 5.4 | CVE-2025-13116 | VDB-332321 | macrozheng mall-swarm/mall cancelUserOrder improper authorization VDB-332321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683339 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686530 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/8 https://github.com/Hwwg/cve/issues/13 |
| macrozheng–mall-swarm | A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 5.4 | CVE-2025-13117 | VDB-332322 | macrozheng mall-swarm/mall cancelOrder improper authorization VDB-332322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683340 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686529 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/7 https://github.com/Hwwg/cve/issues/12 |
| n/a–mruby | A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects the function sort_cmp of the file src/array.c. Such manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable to implement a patch to correct this issue. | 2025-11-13 | 5.3 | CVE-2025-13120 | VDB-332325 | mruby array.c sort_cmp use after free VDB-332325 | CTI Indicators (IOB, IOC, IOA) Submit #683435 | mruby 3.4.0 Use After Free https://github.com/mruby/mruby/issues/6649 https://github.com/makesoftwaresafe/mruby/pull/263 https://github.com/mruby/mruby/issues/6649#issue-3534393003 https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc |
| IQ Service International–IQ-Support | IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network. | 2025-11-14 | 5.3 | CVE-2025-13160 | https://www.twcert.org.tw/en/cp-139-10502-11c6d-2.html https://www.twcert.org.tw/tw/cp-132-10501-a25a6-1.html |
| Intelbras–ICIP | A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-14 | 5.3 | CVE-2025-13187 | VDB-332475 | Intelbras ICIP acessodeusuario.xml credentials storage VDB-332475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685522 | Intelbras ICIP 2.0.20 Unprotected Storage of Credentials https://www.notion.so/eldruin/Intelbras-ICIP-Plaintext-Admin-Credentials-Disclosure-29b27474cccb80ff943ff2776d03d7cd |
| code-projects–Email Logging Interface | A vulnerability was found in code-projects Email Logging Interface 2.0. Affected is an unknown function of the file signup.cpp. The manipulation of the argument Username results in path traversal: ‘../filedir’. The attack is only possible with local access. The exploit has been made public and could be used. | 2025-11-15 | 5.3 | CVE-2025-13199 | VDB-332497 | code-projects Email Logging Interface signup.cpp path traversal VDB-332497 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685549 | code-projects Email Logging Interface 2.0 Path Traversal: ‘../filedir’ https://github.com/asd1238525/cve/blob/main/Dir1c.md https://github.com/asd1238525/cve/blob/main/Dir1c.md#poc https://code-projects.org/ |
| SourceCodester–Farm Management System | A vulnerability was determined in SourceCodester Farm Management System 1.0. Affected by this vulnerability is an unknown functionality. This manipulation causes exposure of information through directory listing. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-15 | 5.3 | CVE-2025-13200 | VDB-332498 | SourceCodester Farm Management System exposure of information through directory listing VDB-332498 | CTI Indicators (IOB, IOC, TTP) Submit #685615 | SourceCodester Farm Management System v1.0 Directory traversal https://github.com/Shaker-Chen/cve/issues/1 https://www.sourcecodester.com/ |
| Intelbras–UnniTI | A weakness has been identified in Intelbras UnniTI 24.07.11. The affected element is an unknown function of the file /xml/sistema/usuarios.xml. Executing manipulation of the argument Usuario/Senha can lead to unprotected storage of credentials. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 5.3 | CVE-2025-13221 | VDB-332537 | Intelbras UnniTI usuarios.xml credentials storage VDB-332537 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685825 | Intelbras UnniTI 24.07.11 Unprotected Storage of Credentials https://www.notion.so/eldruin/Intelbras-UnniTI-Plaintext-Admin-Credentials-Disclosure-29c27474cccb8008b2d7ea60affdf86e?source=copy_link |
| n/a–Intel(R) PROSet/Wireless WiFi Software for Windows | Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Authorized adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts. | 2025-11-11 | 5.6 | CVE-2025-24512 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Omnissa–Omnissa Workspace ONE UEM | Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks. | 2025-11-12 | 5.3 | CVE-2025-25236 | https://static.omnissa.com/sites/default/files/OMSA-2025-0005.pdf https://www.omnissa.com/omnissa-security-response/ |
| n/a–Intel(R) NPU Drivers | Improper control of dynamically-managed code resources for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.9 | CVE-2025-26405 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a–Intel(R) QAT Windows software | Null pointer dereference for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.5 | CVE-2025-26694 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–Gaudi software | Uncontrolled resource consumption for some Gaudi software before version 1.21.0 within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.5 | CVE-2025-27249 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01374.html |
| n/a–Intel(R) Neural Compressor software | Improper neutralization for some Intel(R) Neural Compressor software before version v3.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.7 | CVE-2025-27712 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01365.html |
| Unisoc (Shanghai) Technologies Co., Ltd.–SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T750/T765/T760/T770/T820/S8000/T8300/T9300 | In TEE EcDSA algorithm, there is a possible memory consistency issue. This could lead to generated incorrect signature results with low probability. | 2025-11-11 | 5.1 | CVE-2025-31719 | https://www.unisoc.com/en/support/announcement/1987692028719517698 |
| n/a–Intel(R) QAT Windows software | Out-of-bounds read for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.6 | CVE-2025-31937 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| IBM–Cognos Analytics Certified Containers | IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages. | 2025-11-10 | 5.3 | CVE-2025-33150 | https://www.ibm.com/support/pages/node/7250395 |
| NVIDIA–AuthN component of NVIDIA AIStore | NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. A successful exploit of this vulnerability may lead to information disclosure. | 2025-11-11 | 5.3 | CVE-2025-33185 | https://nvd.nist.gov/vuln/detail/CVE-2025-33185 https://www.cve.org/CVERecord?id=CVE-2025-33185 https://nvidia.custhelp.com/app/answers/detail/a_id/5724 |
| IBM–OpenPages | IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2025-11-12 | 5.4 | CVE-2025-36223 | https://www.ibm.com/support/pages/node/7250239 |
| Siemens–Altair Grid Engine | A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly handle error messages and discloses sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks. | 2025-11-11 | 5.5 | CVE-2025-40760 | https://cert-portal.siemens.com/productcert/html/ssa-514895.html |
| SAP_SE–SAP HANA 2.0 (hdbrss) | Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information. As a result, it has a low impact on the confidentiality but no impact on the integrity and availability of the system. | 2025-11-11 | 5.8 | CVE-2025-42885 | https://me.sap.com/notes/3639264 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP GUI for Windows | SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime. This vulnerability has a high impact on confidentiality, with no impact on integrity and availability. | 2025-11-11 | 5.5 | CVE-2025-42888 | https://me.sap.com/notes/3651097 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Starter Solution (PL SAFT) | SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application’s confidentiality and integrity but no impact on its availability. | 2025-11-11 | 5.4 | CVE-2025-42889 | https://me.sap.com/notes/2886616 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Business One (SLD) | Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability. | 2025-11-11 | 5.3 | CVE-2025-42897 | https://me.sap.com/notes/3652901 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP NetWeaver Application Server Java | Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server. | 2025-11-11 | 5.3 | CVE-2025-42919 | https://me.sap.com/notes/3643603 https://url.sap/sapsecuritypatchday |
| Dell–PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.10.1.3 and versions 9.11.0.0 through 9.12.0.0, contains a use of a broken or risky cryptographic algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2025-11-10 | 5.9 | CVE-2025-43723 | https://www.dell.com/support/kbdoc/en-us/000390206/dsa-2025-381-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Zscaler–Zscaler Client Connector | A health check port on Zscaler Client Connector on Windows, versions 4.6 < 4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls. | 2025-11-12 | 5.2 | CVE-2025-54983 | https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025 |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL. | 2025-11-14 | 5.4 | CVE-2025-55073 | https://mattermost.com/security-updates |
| Red Hat–Red Hat Enterprise Linux 10 | If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC’s response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients. | 2025-11-12 | 5.9 | CVE-2025-59089 | RHSA-2025:21138 RHSA-2025:21139 RHSA-2025:21140 RHSA-2025:21141 RHSA-2025:21142 RHSA-2025:21448 https://access.redhat.com/security/cve/CVE-2025-59089 RHBZ#2393958 https://github.com/latchset/kdcproxy/pull/68 |
| Microsoft–Microsoft Office LTSC 2021 | Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59240 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59509 | Windows Speech Recognition Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper link resolution before file access (‘link following’) in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | 2025-11-11 | 5.5 | CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability |
| Microsoft–Windows 10 Version 1809 | Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-60706 | Windows Hyper-V Information Disclosure Vulnerability |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. | 2025-11-15 | 5.3 | CVE-2025-6171 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #549730 HackerOne Bug Bounty Report #3183740 |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61840 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61841 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Use After Free vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61842 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61843 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61844 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe–Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61845 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Microsoft–Windows 10 Version 1809 | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-62208 | Windows License Manager Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-62209 | Windows License Manager Information Disclosure Vulnerability |
| Microsoft–Visual Studio Code | Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | 2025-11-11 | 5 | CVE-2025-62453 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability |
| Zoom Communications Inc.–Zoom Clients | Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 5.3 | CVE-2025-62483 | https://www.zoom.com/en/trust/security-bulletin/zsb-25047 |
| langfuse–langfuse | Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on the same Langfuse instance could enumerate names and email addresses of users in another organization if they knew the target organization’s ID. Disclosure is limited to names and email addresses of members/invitees. No customer data such as traces, prompts, or evaluations is exposed or accessible. For Langfuse Cloud, the maintainers ran a thorough investigation of access logs of the last 30 days and could not find any evidence that this vulnerability was exploited. For most self-hosting deployments, the attack surface is significantly reduced given an SSO provider is configured and email/password sign-up is disabled. In these cases, only users who authenticate via the Enterprise SSO IdP (e.g. Okta) would be able to exploit this vulnerability to access the member list, i.e. internal users getting access to a list of other internal users. In order to exploit the vulnerability, the actor must have a valid Langfuse user account within the same instance, know the target orgId, and use the request made to the API that powers the frontend membership tables, including their project/user authentication token, while changing the orgId to the target organization. Langfuse Cloud (EU, US, HIPAA) were affected until fix deployment on November 1, 2025. The maintainers reviewed the Langfuse Cloud access logs from the past 30 days and found no evidence that this vulnerability was exploited. Self-Hosted versions which contain patches include v2.95.11 for major version 2 and v3.124.1 for major version 3. There are no known workarounds. Upgrading is required to fully mitigate this issue. | 2025-11-10 | 5 | CVE-2025-64504 | https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69 https://github.com/langfuse/langfuse/commit/67990ebfdcf0f0c32a6710efa7ddbda073812ab4 https://github.com/langfuse/langfuse/commit/6c2529049a4c962928c435984c81a547a497e3e5 https://github.com/langfuse/langfuse/releases/tag/v2.70.0 https://github.com/langfuse/langfuse/releases/tag/v2.95.11 https://github.com/langfuse/langfuse/releases/tag/v3.124.1 |
| JetBrains–Hub | In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API | 2025-11-10 | 5.3 | CVE-2025-64683 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic | 2025-11-10 | 5.4 | CVE-2025-64687 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes | 2025-11-10 | 5.4 | CVE-2025-64690 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| baptisteArno–typebot.io | Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user’s API token and retrieve its value by simply knowing the target user’s ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue. | 2025-11-13 | 5 | CVE-2025-64706 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp |
| PrivateBin–PrivateBin | PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain remote code execution. The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropriate privilege checking, those might execute or leak information. The issue has been patched in version 2.0.3. As a workaround, set `templateselection = false` (which is the default) in `cfg/conf.php` or remove it entirely | 2025-11-13 | 5.8 | CVE-2025-64714 | https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82 https://github.com/PrivateBin/PrivateBin/commit/4434dbf73ac53217fda0f90d8cf9b6110f8acc4f |
| nodeca–js-yaml | js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it’s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node –disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). | 2025-11-13 | 5.3 | CVE-2025-64718 | https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 |
| Zoom Communications Inc.–Zoom Workplace for macOS | External control of file name or path in Zoom Workplace for macOS before version 6.5.10 may allow an authenticated user to conduct a disclosure of information via local access. | 2025-11-13 | 5 | CVE-2025-64738 | https://www.zoom.com/en/trust/security-bulletin/zsb-25040 |
| directus–directus | Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue. | 2025-11-13 | 5.5 | CVE-2025-64747 | https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e |
| gristlabs–grist-core | grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint. | 2025-11-13 | 5.3 | CVE-2025-64753 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685 https://github.com/gristlabs/grist-core/releases/tag/v1.7.7 |
| SMCI–SYS-111C-NR | Supermicro BMC Insyde SMASH shell program has a stacked-based overflow vulnerability | 2025-11-13 | 5.4 | CVE-2025-7704 | https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2025 |
| Siemens–Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to alter the local database which contains the application credentials. This allows an attacker to gain administrative application privileges. | 2025-11-11 | 4.7 | CVE-2024-32014 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Avast–Free Antivirus | Collision in MiniFilter driver in Avast Software Avast Free Antivirus before 25.9 on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms. | 2025-11-11 | 4.4 | CVE-2025-10905 | https://www.gendigital.com/us/en/contact-us/security-advisories/) |
| Mattermost–Mattermost | Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | 2025-11-14 | 4.3 | CVE-2025-11776 | https://mattermost.com/security-updates |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | 2025-11-14 | 4.9 | CVE-2025-11794 | https://mattermost.com/security-updates |
| GitLab–GitLab | An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | 2025-11-15 | 4.3 | CVE-2025-11865 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #561399 |
| codethislab–CTL Arcade Lite | The CTL Arcade Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the ‘ctl_arcade_lite_page_manage_games’ page. This makes it possible for unauthenticated attackers to deactivate and activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-11886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/44bca8c2-1591-484c-ac40-8c968d5d1cad?source=cve https://wordpress.org/plugins/ctl-arcade-lite/ |
| jdsofttech–School Management System WPSchoolPress | The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the ‘SCodes’ parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-14 | 4.9 | CVE-2025-11981 | https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc4a20-0136-4fb4-9489-07140b2b86aa?source=cve https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.9/lib/wpsp-ajaxworks.php#L1872 https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.9/lib/wpsp-ajaxworks.php#L1844 https://plugins.trac.wordpress.org/changeset/3389346#file62 |
| sanderkah–Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed | The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_wpqai_disconnect_quicq_afosto’ AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto | 2025-11-13 | 4.3 | CVE-2025-12015 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09f01dcc-685b-485b-8572-cdf73d0157dc?source=cve https://wordpress.org/plugins/quicq/ |
| sourcefound–MembershipWorks Membership, Events & Directory | The MembershipWorks – Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-12 | 4.4 | CVE-2025-12018 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve https://wordpress.org/plugins/memberfindme/ https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103 https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail= |
| mervinpraison–Featured Image | The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fa16605a-12bd-48a8-b9a9-db53bf3c2c39?source=cve https://wordpress.org/plugins/featured-image/ https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/featured-image/stored-xss.md https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L26 https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L35 https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L65 |
| kanwei_doublethedonation–Double the Donation A workplace giving tool | The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.9 | CVE-2025-12020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba2d29-26dc-4c5f-9d9d-9a13e25c44b9?source=cve https://wordpress.org/plugins/double-the-donation/ https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L59 https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L79 |
| acowebs–Wishlist and Save for later for Woocommerce | The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the ‘awwlm_remove_added_wishlist_page’ AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user’s wishlists. | 2025-11-12 | 4.3 | CVE-2025-12087 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/ |
| webtoffee–Alt Text Generator AI Auto Generate & Bulk Update Alt Texts For Images | The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site. | 2025-11-12 | 4.3 | CVE-2025-12113 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5309e891-ced1-496f-8ee5-c089a91a7666?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390619%40alt-text-generator&new=3390619%40alt-text-generator&sfp_email=&sfph_mail= |
| larsactionhero–WP Custom Admin Login Page Logo | The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4. This is due to missing or incorrect nonce validation on the wpclpl_save functionality. This makes it possible for unauthenticated attackers to modify the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-12132 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6164b272-aa12-4ee3-a73a-64882ff5a899?source=cve https://wordpress.org/plugins/wp-custom-login-page-logo/ |
| qodeinteractive–Qi Blocks | The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images. | 2025-11-15 | 4.3 | CVE-2025-12182 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41b0b12f-ff52-4913-aa54-3fbaf0839959?source=cve https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/media/class-qi-blocks-media.php#L138 https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/media/class-qi-blocks-media.php |
| softaculous–Page Builder: Pagelayer Drag and Drop website builder | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | 2025-11-13 | 4.3 | CVE-2025-12366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394407%40pagelayer%2Ftrunk&old=3384061%40pagelayer%2Ftrunk&sfp_email=&sfph_mail= |
| wpchill–Image Gallery Photo Grid & Video Gallery | The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server. | 2025-11-15 | 4.3 | CVE-2025-12494 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca423309-d8bd-46a4-9e88-9534d9c60b4a?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L554 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L567 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L589 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L597 https://research.cleantalk.org/cve-2025-12494/ https://plugins.trac.wordpress.org/changeset/3391790/modula-best-grid-gallery/trunk?contextall=1&old=3390878&old_path=%2Fmodula-best-grid-gallery%2Ftrunk |
| michielve–Private Google Calendars | The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘pgc_remove’ action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin’s settings. | 2025-11-11 | 4.3 | CVE-2025-12526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/900294ef-dedb-49d3-b544-eae64399ea03?source=cve https://wordpress.org/plugins/private-google-calendars/ |
| iworks–Fleet Manager | The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12538 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e72644c-138d-4733-bcca-a8305273d1a0?source=cve https://it.wordpress.org/plugins/fleet/ |
| behzadrohizadeh–USB Qr Code Scanner For Woocommerce | The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-12588 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e02d105-0f1e-479e-a537-7a7fdbbd7804?source=cve https://plugins.trac.wordpress.org/browser/usb-qr-code-scanner-for-woocommerce/tags/1.0.0/usb-qrcode-scanner-for-woocommerce.php#L410 https://plugins.trac.wordpress.org/browser/usb-qr-code-scanner-for-woocommerce/tags/1.0.0/usb-qrcode-scanner-for-woocommerce.php#L149 |
| ays-pro–Poll Maker Versus Polls, Anonymous Polls, Image Polls | The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-13 | 4.9 | CVE-2025-12620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/56e0efba-4913-4772-8a5b-5cb5c84b5d48?source=cve https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2033 https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2053 |
| spokanetony–Squirrels Auto Inventory | The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12631 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve https://wordpress.org/plugins/squirrels-auto-inventory/ |
| lovelightplugins–Ninja Countdown | Fastest Countdown Builder | The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘ninja_countdown_admin_ajax’ AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns. | 2025-11-11 | 4.3 | CVE-2025-12665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0b6433-5651-4a9d-8356-5d02d51830f4?source=cve https://wordpress.org/plugins/ninja-countdown/ |
| smackcoders–WP Import Ultimate CSV XML Importer for WordPress | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin’s admin interface. | 2025-11-12 | 4.3 | CVE-2025-12732 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42 https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72 https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php |
| paoltaia–GeoDirectory WP Business Directory Plugin and Classified Listings Directory | The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the ‘post_attachment_upload’ function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places. | 2025-11-12 | 4.3 | CVE-2025-12833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve https://wordpress.org/plugins/geodirectory/ https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail= |
| smub–All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs. | 2025-11-15 | 4.3 | CVE-2025-12847 | https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387 |
| aEnrich–a+HRD | The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users’ browsers upon page load. | 2025-11-12 | 4.8 | CVE-2025-12869 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| asgaros–Asgaros Forum | The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2025-11-12 | 4.3 | CVE-2025-12901 | https://www.wordfence.com/threat-intel/vulnerabilities/id/75625e6e-f75b-4e11-acd8-7388efb12b29?source=cve https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L606 https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L605 https://github.com/Asgaros/asgaros-forum/commit/92305fb8ba4ec0a6c65256915d0a32e5553b74f3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392004%40asgaros-forum&new=3392004%40asgaros-forum&sfp_email=&sfph_mail= |
| rymcu–forest | A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2025-11-10 | 4.3 | CVE-2025-12924 | VDB-331644 | rymcu forest BankController.java GlobalResult authorization VDB-331644 | CTI Indicators (IOB, IOC, IOA) Submit #681079 | RYMCU forest V1.0 Missing Authentication https://github.com/rymcu/forest/issues/198 |
| n/a–DedeBIZ | A security vulnerability has been detected in DedeBIZ up to 6.3.2. The impacted element is an unknown function of the file /admin/archives_add.php. Such manipulation of the argument flags[] leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-10 | 4.7 | CVE-2025-12927 | VDB-331647 | DedeBIZ archives_add.php sql injection VDB-331647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681507 | DedeBIZ CMS v6.3.2 archives_add.php SQL Injection https://github.com/ZZCTD/zz_test/issues/4 |
| SourceCodester–Baby Care System | A vulnerability was determined in SourceCodester Baby Care System 1.0. Affected by this issue is some unknown functionality of the file /admin.php?id=inbox. This manipulation of the argument msgid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-10 | 4.7 | CVE-2025-12932 | VDB-331652 | SourceCodester Baby Care System admin.php sql injection VDB-331652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682272 | SourceCodester Baby Care System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/7 https://www.sourcecodester.com/ |
| techlabpro1–Classified Listing AI-Powered Classified ads & Business Directory Plugin | The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the “rtcl_ajax_add_listing_type”, “rtcl_ajax_update_listing_type”, and “rtcl_ajax_delete_listing_type” function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types. | 2025-11-11 | 4.3 | CVE-2025-12953 | https://www.wordfence.com/threat-intel/vulnerabilities/id/811f147e-5829-4f7e-91d8-9dba780950d5?source=cve https://plugins.trac.wordpress.org/changeset/3389342/classified-listing/trunk/app/Controllers/Ajax/AjaxListingType.php |
| code-projects–Responsive Hotel Site | A vulnerability was detected in code-projects Responsive Hotel Site 1.0. Impacted is an unknown function of the file /admin/usersettingdel.php. Performing manipulation of the argument eid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-12 | 4.7 | CVE-2025-13075 | VDB-332206 | code-projects Responsive Hotel Site usersettingdel.php sql injection VDB-332206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682856 | code-projects Responsive Hotel Site 1.0 SQL Injection https://github.com/zhizi1234/cve/blob/main/tmp69/tmp69/report.md https://code-projects.org/ |
| code-projects–Responsive Hotel Site | A flaw has been found in code-projects Responsive Hotel Site 1.0. The affected element is an unknown function of the file /admin/usersetting.php. Executing manipulation of the argument usname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-12 | 4.7 | CVE-2025-13076 | VDB-332207 | code-projects Responsive Hotel Site usersetting.php sql injection VDB-332207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682867 | code-projects Responsive Hotel Site 1.0 SQL Injection https://github.com/zhizi1234/cve/blob/main/tmp70/report.md https://code-projects.org/ |
| macrozheng–mall-swarm | A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3. This impacts the function detail of the file /order/detail/ of the component Order Details Handler. Performing manipulation of the argument orderId results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 4.3 | CVE-2025-13115 | VDB-332320 | macrozheng mall-swarm/mall Order Details detail improper authorization VDB-332320 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683222 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686528 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/6 https://github.com/Hwwg/cve/issues/11 |
| Fabian Ros–Simple E-Banking System | A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-13 | 4.3 | CVE-2025-13119 | VDB-332324 | Fabian Ros/SourceCodester Simple E-Banking System cross-site request forgery VDB-332324 | CTI Indicators (IOB, IOC) Submit #683335 | Fabian Ros Simple E-Banking System In PHP With Source Code October 11, 2025 Cross-Site Request Forgery https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-CSRF-Forced-Withdrawal |
| Bdtask–SalesERP | A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.3 | CVE-2025-13177 | VDB-332467 | Bdtask/CodeCanyon SalesERP cross-site request forgery VDB-332467 | CTI Indicators (IOB, IOC) Submit #684819 | Bdtask Sales ERP Software Latest version as of 2025-10-16 Cross-Site Request Forgery (CSRF) https://github.com/4m3rr0r/PoCVulDb/issues/1 |
| Bdtask–Wholesale Inventory Control and Inventory Management System | A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.3 | CVE-2025-13179 | VDB-332469 | Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System cross-site request forgery VDB-332469 | CTI Indicators (IOB, IOC) Submit #684823 | Bdtask Wholesale Management System Latest version as of 2025-10-16 Cross-Site Request Forgery (CSRF) https://github.com/4m3rr0r/PoCVulDb/issues/3 |
| Bdtask–News365 | A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.7 | CVE-2025-13185 | VDB-332473 | Bdtask/CodeCanyon News365 profile unrestricted upload VDB-332473 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685028 | Bdtask News365 – PHP Newspaper Script Magazine Blog with Video Newspaper 7.0.3 Unrestricted File Upload https://github.com/4m3rr0r/PoCVulDb/issues/5 |
| n/a–DouPHP | A vulnerability has been found in DouPHP up to 1.8 Release 20251022. This impacts an unknown function of the file upload/include/file.class.php. The manipulation of the argument File leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-15 | 4.7 | CVE-2025-13198 | VDB-332496 | DouPHP file.class.php unrestricted upload VDB-332496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685544 | Douke Network Technology Co., Ltd. DouPHP DouPHP v1.8 Release 20251022 Arbitrary File Upload https://github.com/electroN1chahaha/My-CVE/issues/1 |
| itsourcecode–Inventory Management System | A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=add. Such manipulation of the argument PROMODEL leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-11-15 | 4.7 | CVE-2025-13210 | VDB-332529 | itsourcecode Inventory Management System index.php sql injection VDB-332529 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685702 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/56 https://itsourcecode.com/ |
| Bdtask–Isshue Multi Store eCommerce Shopping Cart Solution | A security vulnerability has been detected in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/cart_total_amount leads to enforcement of behavioral workflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-16 | 4.3 | CVE-2025-13239 | VDB-332565 | Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution submit_checkout behavioral workflow VDB-332565 | CTI Indicators (IOB, IOC, IOA) Submit #686896 | Bdtask Isshue – Multi Store eCommerce Shopping Cart Solution With POS v5 Business Logic Flaw https://github.com/4m3rr0r/PoCVulDb/issues/7 |
| code-projects–Student Information System | A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 4.3 | CVE-2025-13244 | VDB-332570 | code-projects Student Information System register.php cross site scripting VDB-332570 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687529 | code-projects Student Information System 2.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss6.md https://code-projects.org/ |
| n/a–Intel VTune Profiler | Improper input validation for some Intel VTune Profiler before version 2025.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.4 | CVE-2025-20056 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01355.html |
| Cisco–Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. The attacker would need valid read-only user credentials. This vulnerability is due to improper role-based access control (RBAC). An attacker could exploit this vulnerability by logging in to an affected system and modifying certain policy configurations. A successful exploit could allow the attacker to modify policy configurations that are reserved for the Administrator role. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 4.3 | CVE-2025-20346 | cisco-sa-privesc-catc-rYjReeLU |
| Cisco–Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. | 2025-11-13 | 4.7 | CVE-2025-20355 | cisco-sa-catc-open-redirect-3W5Bk3Je |
| n/a–Intel(R) CIP software | Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.5 | CVE-2025-24516 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) CIP software | Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.5 | CVE-2025-24847 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. | 2025-11-15 | 4.3 | CVE-2025-2615 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #526360 HackerOne Bug Bounty Report #3049150 |
| IBM–OpenPages | IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view. | 2025-11-12 | 4.3 | CVE-2025-27368 | https://www.ibm.com/support/pages/node/7250238 |
| n/a–ACAT | Time-of-check time-of-use race condition for some ACAT before version 3.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.4 | CVE-2025-27725 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01388.html |
| Zoom Communications Inc.–Zoom Workplace Clients | Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access. | 2025-11-13 | 4.8 | CVE-2025-30669 | https://www.zoom.com/en/trust/security-bulletin/zsb-25044 |
| Elastic–Kibana | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | 2025-11-12 | 4.3 | CVE-2025-37734 | https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381 |
| SAP_SE–SAP NetWeaver Application Server for ABAP | Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment details of the system could further assist this attacker to plan subsequent attacks. As a result, this vulnerability has a low impact on confidentiality, with no impact on the integrity or availability of the application. | 2025-11-11 | 4.3 | CVE-2025-42882 | https://me.sap.com/notes/3643337 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP S4CORE (Manage Journal Entries) | SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application. | 2025-11-11 | 4.3 | CVE-2025-42899 | https://me.sap.com/notes/3530544 https://url.sap/sapsecuritypatchday |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn’t be able to do so. Version 3.2.2 fixes the issue. | 2025-11-10 | 4.3 | CVE-2025-48878 | https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556 |
| Microsoft–Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 4.3 | CVE-2025-60728 | Microsoft Excel Information Disclosure Vulnerability |
| Zoom Communications Inc.–Zoom Workplace | Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access. | 2025-11-13 | 4.3 | CVE-2025-62482 | https://www.zoom.com/en/trust/security-bulletin/zsb-25046 |
| Enalean–tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don’t have cross-site request forgery protection in the management of SVN commit rules and immutable tags. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8 contain a fix for the issue. | 2025-11-12 | 4.6 | CVE-2025-64117 | https://github.com/Enalean/tuleap/security/advisories/GHSA-p2f7-qw8p-f2p7 https://github.com/Enalean/tuleap/commit/f49419f63edbbaa31ce8417b737431d944827404 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=f49419f63edbbaa31ce8417b737431d944827404 https://tuleap.net/plugins/tracker/?aid=45251 |
| Enalean–tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don’t have cross-site request forgery protections in the file release system. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1762267347, Tuleap Enterprise Edition 17.0-1, Tuleap Enterprise Edition 16.13-6, and Tuleap Enterprise Edition 16.12-9 fix the issue. | 2025-11-12 | 4.6 | CVE-2025-64482 | https://github.com/Enalean/tuleap/security/advisories/GHSA-w7h4-9vf6-q7rc https://github.com/Enalean/tuleap/commit/899b5c1693324211947b72f2810ae8944e1bd0d5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=899b5c1693324211947b72f2810ae8944e1bd0d5 https://tuleap.net/plugins/tracker/?aid=45259 |
| OpenPrinting–cups-filters | cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x’s `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large. Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18. | 2025-11-12 | 4 | CVE-2025-64503 | https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9 https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865 https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1620 https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1880 https://github.com/OpenPrinting/libcupsfilters/blob/1dd86d835b27ed149b66aee1a4853d1db8a1f44c/cupsfilters/pdftoraster.cxx#L1790 |
| trifectatechfoundation–sudo-rs | sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user’s UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don’t know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`. | 2025-11-12 | 4.4 | CVE-2025-64517 | https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form | 2025-11-10 | 4.5 | CVE-2025-64684 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.–Zoom Clients | External control of file name or path in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 4.3 | CVE-2025-64739 | https://www.zoom.com/en/trust/security-bulletin/zsb-25041 |
| directus–directus | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue. | 2025-11-13 | 4.6 | CVE-2025-64746 | https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2 https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8 |
| directus–directus | Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue. | 2025-11-13 | 4.3 | CVE-2025-64749 | https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31 |
| GitLab–GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests. | 2025-11-15 | 4.3 | CVE-2025-7000 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #553129 HackerOne Bug Bounty Report #3214025 |
| Arista Networks–EOS | On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153 | 2025-11-14 | 4.9 | CVE-2025-8870 | https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125 |
| Axis Communications AB–AXIS OS | The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account. | 2025-11-11 | 4.3 | CVE-2025-9524 | https://www.axis.com/dam/public/f1/f0/1e/cve-2025-9524pdf-en-US-504220.pdf |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | 2025-11-13 | 3.1 | CVE-2025-11777 | https://mattermost.com/security-updates |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | 2025-11-15 | 3.1 | CVE-2025-11990 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #577850 HackerOne Bug Bounty Report #3257843 |
| n/a–PostgreSQL | Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | 2025-11-13 | 3.1 | CVE-2025-12817 | https://www.postgresql.org/support/security/CVE-2025-12817/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns. | 2025-11-15 | 3.5 | CVE-2025-12983 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #296257 HackerOne Bug Bounty Report #3419588 |
| soerennb–eXtplorer | A security flaw has been discovered in soerennb eXtplorer up to 2.1.15. The affected element is an unknown function of the component Filename Handler. The manipulation results in cross site scripting. The attack may be launched remotely. The patch is identified as 002def70b985f7012586df2c44368845bf405ab3. Applying a patch is advised to resolve this issue. | 2025-11-12 | 3.5 | CVE-2025-13058 | VDB-332185 | soerennb eXtplorer Filename cross site scripting VDB-332185 | CTI Indicators (IOB, IOC, TTP) Submit #682370 | eXtplorer eXtplorer (PHP file manager) 2.1.15 Cross-Site Scripting (Stored) https://github.com/soerennb/extplorer/issues/33 https://github.com/soerennb/extplorer/commit/002def70b985f7012586df2c44368845bf405ab3 |
| Bdtask–SalesERP | A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 3.5 | CVE-2025-13178 | VDB-332468 | Bdtask/CodeCanyon SalesERP User Profile edit_profile cross site scripting VDB-332468 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684820 | bdtask Sales ERP Software Latest version as of 2025-10-24 Stored HTML Injection https://github.com/4m3rr0r/PoCVulDb/issues/2 |
| Bdtask–Wholesale Inventory Control and Inventory Management System | A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 3.5 | CVE-2025-13180 | VDB-332470 | Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System edit_profile cross site scripting VDB-332470 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684824 | Bdtask Wholesale Management System Latest version as of 2025-10-16 Stored HTML Injection https://github.com/4m3rr0r/PoCVulDb/issues/4 |
| pojoin–h3blog | A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-14 | 3.5 | CVE-2025-13181 | VDB-332471 | pojoin h3blog add cross site scripting VDB-332471 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684887 | https://gitee.com/pojoin/h3blog h3blog 1.0 Cross-site Scripting https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md#vulnerability-reproduction |
| pojoin–h3blog | A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-14 | 3.5 | CVE-2025-13182 | VDB-332472 | pojoin h3blog addtitle cross site scripting VDB-332472 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685520 | https://gitee.com/pojoin/h3blog h3blog 1.0 Cross-site Scripting https://github.com/caigo8/CVE-md/blob/main/h3blog/xss3.md https://github.com/caigo8/CVE-md/blob/main/h3blog/xss3.md#vulnerability-reproduction |
| code-projects–Simple Cafe Ordering System | A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-15 | 3.5 | CVE-2025-13202 | VDB-332500 | code-projects Simple Cafe Ordering System add_to_cart cross site scripting VDB-332500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685729 | code-projects Simple Cafe Ordering System published October 30, 2025 Cross Site Scripting https://github.com/shenxianyuguitian/cafeorder_vuln_XSS/blob/main/README.md https://code-projects.org/ |
| n/a–projectsend | A flaw has been found in projectsend up to r1720. Impacted is an unknown function of the component File Editor/Custom Download Aliases. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version r1945 is recommended to address this issue. Patch name: 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845. It is advisable to upgrade the affected component. | 2025-11-16 | 3.5 | CVE-2025-13232 | VDB-332558 | projectsend File Editor/Custom Download Aliases cross site scripting VDB-332558 | CTI Indicators (IOB, IOC, TTP) Submit #686533 | projectsend web r1720 Cross Site Scripting https://github.com/projectsend/projectsend/pull/1450 https://github.com/projectsend/projectsend/commit/334da1ea39cb12f6b6e98dd2f80bb033e0c7b845 https://github.com/projectsend/projectsend/releases/tag/r1945 |
| code-projects–Student Information System | A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-11-16 | 3.5 | CVE-2025-13245 | VDB-332571 | code-projects Student Information System editprofile.php cross site scripting VDB-332571 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687531 | code-projects Student Information System 2.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss7.md https://code-projects.org/ |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will. | 2025-11-12 | 3.1 | CVE-2025-20378 | https://advisory.splunk.com/advisories/SVD-2025-1101 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin” or “power” Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search” endpoint through its “q” parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2025-11-12 | 3.5 | CVE-2025-20379 | https://advisory.splunk.com/advisories/SVD-2025-1102 |
| n/a–Intel(R) NPU Drivers for Windows | Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.8 | CVE-2025-20622 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a–Intel(R) Graphics Drivers and Intel LTS kernels | Improper input validation in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-25216 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a–Intel QuickAssist Technology software | Improper input validation for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.8 | CVE-2025-30509 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a–Intel(R) oneAPI Math Kernel Library | Improper input validation for some Intel(R) oneAPI Math Kernel Library before version 2025.2 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-31948 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01366.html |
| n/a–Intel(R) QAT Windows software | Improper conditions check for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-32088 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| Mattermost–Mattermost | Mattermost versions <11.0 fail to properly enforce the “Allow users to view archived channels” setting which allows regular users to access archived channel content and files via the “Open in Channel” functionality from followed threads | 2025-11-14 | 3.1 | CVE-2025-41436 | https://mattermost.com/security-updates |
| Dell–Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Process Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Disclosure. | 2025-11-13 | 3.3 | CVE-2025-46370 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| OpenPrinting–libcupsfilters | CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters’s `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa. | 2025-11-12 | 3.7 | CVE-2025-57812 | https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4 https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/cupsfilters/image-tiff.c#L34 https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/filter/imagetoraster.c#L613 https://github.com/OpenPrinting/libcupsfilters/blob/33421982e10f6a14bc0bab03b80c9cf4660e8d7d/cupsfilters/image-tiff.c#L32 |
| dgtlmoon–changedetection.io | changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue. | 2025-11-10 | 3.5 | CVE-2025-62780 | https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9 |
| trifectatechfoundation–sudo-rs | sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue. | 2025-11-12 | 3.8 | CVE-2025-64170 | https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context | 2025-11-10 | 3.1 | CVE-2025-64686 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| PrivateBin–PrivateBin | PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible – like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue. | 2025-11-13 | 3.9 | CVE-2025-64711 | https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-r9x7-7ggj-fx9f https://github.com/PrivateBin/PrivateBin/commit/f9550e513381208b36595ee2404e968144bba78b |
| openobserve–openobserve | OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available. | 2025-11-13 | 3.5 | CVE-2025-64744 | https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments. | 2025-11-15 | 3.5 | CVE-2025-6945 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #552611 HackerOne Bug Bounty Report #3173458 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. | 2025-11-15 | 3.1 | CVE-2025-7736 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #556098 HackerOne Bug Bounty Report #3250156 |
| Axis Communications AB–AXIS OS | It was possible to upload files with a specific name to a temporary directory, which may result in process crashes and impact usability. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. | 2025-11-11 | 3.1 | CVE-2025-8998 | https://www.axis.com/dam/public/f5/62/80/cve-2025-8998pdf-en-US-504374.pdf |
| liweiyi–ChestnutCMS | A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function resourceDownload of the file /dev-api/common/download. Executing manipulation of the argument path can lead to path traversal. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-10 | 2.7 | CVE-2025-12923 | VDB-331643 | liweiyi ChestnutCMS download resourceDownload path traversal VDB-331643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681032 | liweiyi ChestnutCMS 1.5.8 Path Traversal https://github.com/Huu1j/CVE/blob/main/chestnutcms%20Arbitrary%20File%20Read.md |
| Bdtask–Isshue Multi Store eCommerce Shopping Cart Solution | A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0. This impacts an unknown function of the file /dashboard/Ccustomer/manage_customer. This manipulation of the argument Search causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 2.4 | CVE-2025-13186 | VDB-332474 | Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution manage_customer cross site scripting VDB-332474 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685036 | Bdtask Isshue — Multi Store eCommerce Shopping Cart Solution With POS 4.0 Reflected Cross-Site Scripting (XSS) https://github.com/4m3rr0r/PoCVulDb/blob/main/README18.md |
| n/a–Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24307 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) CIP software | Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24314 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) CIP software | Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present with special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24862 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a–Intel(R) PresentMon | Improper access control for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow a denial of service. Network adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-32037 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01392.html |
| SAP_SE–SAP NetWeaver Application Server for ABAP (Migration Workbench) | Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. | 2025-11-11 | 2.7 | CVE-2025-42883 | https://me.sap.com/notes/3634053 https://url.sap/sapsecuritypatchday |
| JetBrains–Hub | In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations | 2025-11-10 | 2.7 | CVE-2025-64681 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–Hub | In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit | 2025-11-10 | 2.7 | CVE-2025-64682 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| withastro–astro | Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro’s development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim’s browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue. | 2025-11-13 | 2.7 | CVE-2025-64745 | https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7 https://github.com/withastro/astro/pull/12994 https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91 https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149 |
| JetBrains–YouTrack | In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit | 2025-11-11 | 2.7 | CVE-2025-64773 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| bytecodealliance–wasmtime | Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime’s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. | 2025-11-12 | 1.8 | CVE-2025-64345 | https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10 https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new https://docs.wasmtime.dev/stability-release.html https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| IRAI–AUTOMGEN | AUTOMGEN versions up to and including 8.0.0.7 (also referenced as 8.022) contain a vulnerability in that project file handling frees an object and subsequently dereferences the stale pointer when processing certain malformed fields. The dangling-pointer use enables an attacker to influence an indirect call through attacker-controlled memory, resulting in denial-of-service. In some conditions, remote code execution may be possible. | 2025-11-12 | not yet calculated | CVE-2011-10034 | https://www.exploit-db.com/exploits/17964 https://en.iraifrance.com/automgen https://www.vulncheck.com/advisories/irai-automgen-use-after-free-remote-dos |
| JVC (JVCKENWOOD)–IP-Camera (VN-T216VPRU) | JVC VN-T IP-camera models firmware versions up to 2016-08-22 (confirmed on the VN-T216VPRU model) contain a directory traversal vulnerability in the checkcgi endpoint that accepts a user-controlled file parameter. An unauthenticated remote attacker can leverage this vulnerability to read arbitrary files on the device. | 2025-11-12 | not yet calculated | CVE-2016-15055 | https://www.exploit-db.com/exploits/40282 https://web.archive.org/web/20170713051843/http://www.black-rose.ml/2016/08/analyzing-security-cameras-products.html http://pro.jvc.com/prof/attributes/tech_desc.jsp?model_id=MDL102145&feature_id=02 https://www.vulncheck.com/advisories/jvc-vnt-ip-camera-directory-traversal-via-check-cgi |
| Ubee Interactive–Ubee EVW3226 | Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request ‘Configuration_file.cfg’ directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device. | 2025-11-14 | not yet calculated | CVE-2016-15056 | https://www.exploit-db.com/exploits/40156 https://seclists.org/fulldisclosure/2016/Jul/66 https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities https://web.archive.org/web/20160403014231/http://www.ubeeinteractive.com/products/cable/evw3226 https://www.vulncheck.com/advisories/ubee-evw3226-unauthenticated-backup-file-disclosure |
| QNAP Systems Inc.–Photo Station | Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research. | 2025-11-11 | not yet calculated | CVE-2017-20210 | https://www.qnap.com/en-in/security-advisory/nas-201705-04 |
| UCanCode.Net Software–E-XD++ Visualization Enterprise Suite | UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control. This is because it exposes a RotateShape method that dereferences a user-supplied pointer without sufficient validation. A crafted input may cause the control to dereference an attacker-controlled pointer, enabling remote code execution in the context of the hosting process. The vulnerability requires user interaction (instantiation of the ActiveX control via a web page or a file). | 2025-11-12 | not yet calculated | CVE-2017-20211 | https://www.zerodayinitiative.com/advisories/ZDI-17-422/ https://www.ucancode.net/ https://www.vulncheck.com/advisories/ucancode-e-xd-visualization-enterprise-suite-untrusted-pointer-dereference-rce |
| RainbowFish Software–PacsOne Server | PacsOne Server version 6.6.2 (prior versions are likely affected) contains a directory traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker to read arbitrary files via the ‘nocache.php’ endpoint with a crafted ‘path’ parameter. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC. | 2025-11-10 | not yet calculated | CVE-2018-25124 | https://www.exploit-db.com/exploits/43907 https://pacsone.net/download.htm https://www.vulncheck.com/advisories/pacsone-server-dicom-web-viewer-directory-traversal-lfi |
| Netis Systems Co., Ltd.–DL4322D | Netis ADSL Router DL4322D firmware RTK 2.1.1 contains a buffer overflow vulnerability in the embedded FTP service that allows an authenticated remote user to trigger a denial of service. After logging in to the FTP service, sending an FTP command such as ABOR with an excessively long argument causes the service, and in practice the router, to crash or become unresponsive, resulting in a loss of availability for the device and connected users. | 2025-11-14 | not yet calculated | CVE-2018-25125 | https://www.exploit-db.com/exploits/45424 https://web.archive.org/web/20180731191918/http://www.netis-systems.com/Home/detail/id/74.html https://www.netis-systems.com/ https://www.vulncheck.com/advisories/netis-dl4322d-ftp-service-dos |
| Employee Records System–Employee Records System | Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. | 2025-11-10 | not yet calculated | CVE-2021-4462 | https://www.sourcecodester.com/php/11393/employee-records-system.html https://www.exploit-db.com/exploits/49596 https://www.vulncheck.com/advisories/employees-records-system-arbitrary-file-upload-rce |
| Shenzhen Longjing Technology Co. Ltd.–BEMS API | Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the ‘downloads’ endpoint. The ‘fileName’ parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory. | 2025-11-12 | not yet calculated | CVE-2021-4463 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php https://www.exploit-db.com/exploits/50163 https://packetstormsecurity.com/files/163702 https://cxsecurity.com/issue/WLB-2021070173 https://exchange.xforce.ibmcloud.com/vulnerabilities/206477 https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/ https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download |
| FiberHome–AN5506-04-FA | FiberHome AN5506-04-FA firmware versions up to and including RP2631 and HG6245D prior to RP2602 contain a stack-based buffer overflow, as the HTTP service (‘webs’) fails to enforce maximum lengths for Cookie header values. When a cookie longer than 511 bytes is processed, a stack buffer is overrun, leading to a crash or potential control of execution flow. | 2025-11-12 | not yet calculated | CVE-2021-4464 | https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#misc-remote-stack-overflow-an5506 https://pierrekim.github.io/advisories/2021-fiberhome-0x00-ont.txt https://www.vulncheck.com/advisories/fiberhome-routers-remote-stack-overflow |
| ReQuest Serious Play LLC–ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing remote interruption of service availability. | 2025-11-14 | not yet calculated | CVE-2021-4465 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php https://www.exploit-db.com/exploits/48951 https://packetstorm.news/files/id/159602 https://cxsecurity.com/issue/WLB-2020100122 https://exchange.xforce.ibmcloud.com/vulnerabilities/190031 http://www.request.com/ https://www.vulncheck.com/advisories/request-serious-play-f3-media-server-remote-dos |
| IPCop Project–IPCop | IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise. | 2025-11-14 | not yet calculated | CVE-2021-4466 | https://www.exploit-db.com/exploits/50183 https://www.ipcop.org/ https://sourceforge.net/projects/ipcop/ https://www.vulncheck.com/advisories/ipcop-authenticated-rce |
| Positive Technologies–MaxPatrol 8 (Server) | Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption. | 2025-11-14 | not yet calculated | CVE-2021-4467 | https://vulners.com/zdt/1337DAY-ID-36775 https://cxsecurity.com/issue/WLB-2021090114 https://www.ptsecurity.com/ https://www.vulncheck.com/advisories/positive-technologies-maxpatrol-8-and-xspider-remote-dos |
| PLANEX COMMUNICATIONS Inc.–CS-QP50F-ING2 | PLANEX CS-QP50F-ING2 smart cameras expose a configuration backup interface over HTTP that does not require authentication. A remote, unauthenticated attacker can directly retrieve a compressed configuration backup file from the device. The backup contains sensitive configuration information, including credentials, allowing an attacker to obtain administrative access to the camera and compromise the confidentiality of the monitored environment. | 2025-11-14 | not yet calculated | CVE-2021-4468 | https://packetstorm.news/files/id/160805/ https://cxsecurity.com/issue/WLB-2021010050 https://www.planex.co.jp/products/cs-qp50f/ https://www.vulncheck.com/advisories/planex-cs-qp50f-ing2-smart-camera-remote-configuration-disclosure |
| Denver–SHO-110 | Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a ‘/snapshot’ endpoint without authentication. While the primary web interface on port 80 enforces authentication, the backdoor service allows any remote attacker to retrieve image snapshots by directly requesting the ‘snapshot’ endpoint. An attacker can repeatedly collect snapshots and reconstruct the camera stream, compromising the confidentiality of the monitored environment. | 2025-11-14 | not yet calculated | CVE-2021-4469 | https://www.exploit-db.com/exploits/50162 http://old.denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 https://www.vulncheck.com/advisories/denver-sho-110-ip-camera-unauthenticated-snapshot-access |
| TG8–TG8 Firewall | TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. The syscmd POST parameter is passed directly to a system command without validation and executed with root privileges. A remote, unauthenticated attacker can supply crafted values to execute arbitrary operating system commands as root, resulting in full device compromise. | 2025-11-14 | not yet calculated | CVE-2021-4470 | https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/ https://web.archive.org/web/20211024224240/http://www.tg8security.com/ https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-rce-via-runphpcmd-php |
| TG8–TG8 Firewall | TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access. | 2025-11-14 | not yet calculated | CVE-2021-4471 | https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/ https://web.archive.org/web/20211024224240/http://www.tg8security.com/ https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-user-password-disclosure |
| DBL Technology (DBLTek)–GoIP-1 | DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device’s web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sidebar`) which is not properly validated or canonicalized. An attacker can supply directory-traversal sequences to cause the server to read and return arbitrary filesystem files that the webserver user can access. Other GoIP models and firmware versions are likely affected. Exploitation evidence was observed by the Shadowserver Foundation on 2024-03-21 UTC. | 2025-11-12 | not yet calculated | CVE-2022-4982 | https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/ https://www.exploit-db.com/exploits/50775 http://www.dbltek.com/ https://www.vulncheck.com/advisories/dbltek-goip-unauthenticated-lfi |
| TEC-IT Datenverarbeitung GmbH, Austria–TEC-IT TBarCode | TEC-IT TBarCode version 11.15 contains a vulnerability in the TBarCode11.ocx ActiveX/OCX control’s licensing handling (INI-file based) that can be abused to cause remote creation of files on the host filesystem. Depending on where files can be created and which filenames are allowed, this can allow attackers to write files that lead to code execution or persistence under the context of the hosting process. | 2025-11-12 | not yet calculated | CVE-2022-4983 | https://www.tec-it.com/en/software/barcode-software/tbarcode/history/v10/Default.aspx https://www.vulncheck.com/advisories/tec-it-tbarcode-sdk-remote-file-create |
| Qingdao Esoft Tianchuang Network Technology Co., Ltd.–ZenTao Biz | ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC. | 2025-11-13 | not yet calculated | CVE-2022-4984 | https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853 https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login |
| Vodacom–Vodafone H500s | Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems. | 2025-11-14 | not yet calculated | CVE-2022-4985 | https://www.exploit-db.com/exploits/50636 https://cxsecurity.com/issue/WLB-2022010024 https://help.vodacom.co.za/personal/home/61/9493/1023659/Vodafone-H500s-WiFi-router https://www.vulncheck.com/advisories/vodafone-h500s-wifi-password-disclosure-via-activation-json |
| Seiko Epson–Epson Stylus SX510W | The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition. | 2025-11-12 | not yet calculated | CVE-2023-7326 | https://www.exploit-db.com/exploits/51441 https://www.epson.eu/en_EU/support/sc/epson-stylus-sx510w/s/s837 https://www.vulncheck.com/advisories/epson-stylus-printer-remote-power-off-dos |
| Ozeki Ltd.–Ozeki SMS Gateway | Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service, leading to disclosure of sensitive information. | 2025-11-12 | not yet calculated | CVE-2023-7327 | https://www.exploit-db.com/exploits/51646 https://ozeki-sms-gateway.com/ https://www.vulncheck.com/advisories/ozeki-sms-gateway-unauthenticated-arbitrary-file-read |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values. | 2025-11-14 | not yet calculated | CVE-2023-7328 | https://www.exploit-db.com/exploits/51460 https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php https://packetstormsecurity.com/files/172332/ https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure |
| tinycontrol–Lan Controller | Tinycontrol LAN Controller v3 (LK3) firmware versions up to 1.58a (hardware v3.8) contain a missing authentication vulnerability in the stm.cgi endpoint. A remote, unauthenticated attacker can send crafted requests to forcibly reboot the device or restore factory settings, leading to a denial of service and configuration loss. | 2025-11-12 | not yet calculated | CVE-2023-7329 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php https://packetstormsecurity.com/files/174455/ https://www.exploit-db.com/exploits/51730 https://exchange.xforce.ibmcloud.com/vulnerabilities/275810 https://tinycontrol.pl/en/archives/lan-controller-35/ https://www.vulncheck.com/advisories/tinycontrol-lan-controller-v3-remote-dos |
| Google–Chrome | Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2024-11919 | |
| Google–Chrome | Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-11-14 | not yet calculated | CVE-2024-11920 | |
| Google–Chrome | Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-13178 | |
| Google–Chrome | Inappropriate implementation in Lens in Google Chrome on iOS prior to 136.0.7103.59 allowed a remote attacker to perform UI spoofing via a crafted QR code. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2024-13983 | |
| usememos–memos | Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor’s Access Token stays on the list as a valid token. The user will have to manually delete the bad actor’s Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn’t available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user’s devices and prompts the user to log in again. One can treat the old Access Tokens as “invalid” because those Access Tokens were created with the older password. | 2025-11-14 | not yet calculated | CVE-2024-21635 | https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2 |
| n/a–n/a | Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script. | 2025-11-14 | not yet calculated | CVE-2024-42749 | https://github.com/altocms/altocms https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-42749.md |
| n/a–PHPGurukul | Multiple parameters in register.php in PHPGurukul Student Record System 3.20 are vulnerable to SQL injection. These include: c-full, fname, mname,lname, gname, ocp, nation, mobno, email, board1, roll1, pyear1, board2, roll2, pyear2, sub1,marks1, sub2, course-short, income, category, ph, country, state, city, padd, cadd, and gender. | 2025-11-14 | not yet calculated | CVE-2024-44630 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44630.md |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the id and emailid parameters in password-recovery.php. | 2025-11-14 | not yet calculated | CVE-2024-44632 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44632.md |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the currentpassword parameter in change-password.php. | 2025-11-14 | not yet calculated | CVE-2024-44633 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44633.md |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to Cross Site Scripting (XSS) via adminname and aemailid parameters in /admin-profile.php. | 2025-11-14 | not yet calculated | CVE-2024-44635 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44635.md |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the adminname and aemailid parameters in /admin-profile.php. | 2025-11-14 | not yet calculated | CVE-2024-44636 | https://phpgurukul.com/student-record-system-php CVE Record: CVE-2024-44636 |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the sub1, sub2, sub3, sub4, and course-short parameters in add-subject.php. | 2025-11-14 | not yet calculated | CVE-2024-44639 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44639.md |
| n/a–PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the course-short, course-full, and cdate parameters in add-course.php. | 2025-11-14 | not yet calculated | CVE-2024-44640 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44640.md |
| n/a–PHPGurukul | PHPGurukul Student Record Management System 3.20 is vulnerable to SQL Injection via the id and password parameters in login.php. | 2025-11-14 | not yet calculated | CVE-2024-55016 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-55016.md |
| n/a–PHPGurukul | An issue in Agnitum Outpost Security Suite 7.5.3 (3942.608.1810) and 7.6 (3984.693.1842) allows a local attacker to execute arbitrary code via the lock function. The manufacturer fixed the vulnerability in version 8.0 (4164.652.1856) from December 17, 2012. | 2025-11-11 | not yet calculated | CVE-2024-57695 | https://www.youtube.com/watch?v=fvgD884wCX8 https://habr.com/en/articles/161393/ |
| Google–Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2025-11-14 | not yet calculated | CVE-2024-7017 | |
| Google–Chrome | Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-7021 | |
| Google–Chrome | Use after free in Internals in Google Chrome on iOS prior to 127.0.6533.88 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a series of curated UI gestures. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-9126 | |
| OpenSolution–QuickCMS | QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-14 | not yet calculated | CVE-2025-10018 | https://cert.pl/posts/2025/11/CVE-2025-9982 https://opensolution.org/cms-system-quick-cms.html |
| Unknown–Creta Testimonial Showcase | The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. | 2025-11-14 | not yet calculated | CVE-2025-10686 | https://wpscan.com/vulnerability/27d58c5a-ab87-41aa-a806-53fa96d4351c/ |
| Rockwell Automation–FactoryTalk DataMosaix Private Cloud | A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | 2025-11-11 | not yet calculated | CVE-2025-11084 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html |
| Rockwell Automation–FactoryTalk DataMosaix Private Cloud | A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website. | 2025-11-11 | not yet calculated | CVE-2025-11085 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html |
| Unknown–Make Email Customizer for WooCommerce | The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options. | 2025-11-11 | not yet calculated | CVE-2025-11237 | https://wpscan.com/vulnerability/88b46752-051b-4468-9e2b-cc81a9ce1075/ |
| Unknown–WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped. | 2025-11-11 | not yet calculated | CVE-2025-11307 | https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/ |
| N-able–N-central | N-central < 2025.4 is vulnerable to authentication bypass via path traversal | 2025-11-12 | not yet calculated | CVE-2025-11366 | https://me.n-able.com/s/security-advisory/aArVy0000000rcDKAQ/cve202511366-ncentral-authentication-bypass-via-path-traversal |
| N-able–N-central | The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization | 2025-11-12 | not yet calculated | CVE-2025-11367 | https://me.n-able.com/s/security-advisory/aArVy0000000rfRKAQ/cve202511367-ncentral-windows-software-probe-remote-code-execution |
| Unknown–Team Members Showcase | The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins. | 2025-11-12 | not yet calculated | CVE-2025-11560 | https://wpscan.com/vulnerability/64d7a074-3f1d-4b09-8e96-d76b9fb3c41e/ |
| Schneider Electric–PowerChute Serial Shutdown | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload. | 2025-11-12 | not yet calculated | CVE-2025-11565 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| Schneider Electric–PowerChute Serial Shutdown | CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. | 2025-11-12 | not yet calculated | CVE-2025-11566 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| Schneider Electric–PowerChute Serial Shutdown | CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured. | 2025-11-12 | not yet calculated | CVE-2025-11567 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| GitHub–Enterprise Server | A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys-thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program. | 2025-11-10 | not yet calculated | CVE-2025-11578 | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 |
| Rockwell Automation–Studio 5000 Simulation Interface | A local server-side request forgery (SSRF) security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes. | 2025-11-11 | not yet calculated | CVE-2025-11696 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.html |
| Rockwell Automation–Studio 5000 Simulation Interface | A local code execution security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot. | 2025-11-11 | not yet calculated | CVE-2025-11697 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.html |
| N-able–N-central | N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure | 2025-11-12 | not yet calculated | CVE-2025-11700 | https://me.n-able.com/s/security-advisory/aArVy0000000rabKAA/cve202511700-ncentral-importservicefromfile-xxe-injection |
| Unknown–age-restriction | The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. | 2025-11-11 | not yet calculated | CVE-2025-11855 | https://wpscan.com/vulnerability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/ |
| Rockwell Automation–Verve Asset Manager | A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | 2025-11-11 | not yet calculated | CVE-2025-11862 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1759.html |
| GitHub–Enterprise Server | An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19. | 2025-11-10 | not yet calculated | CVE-2025-11892 | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 |
| Rockwell Automation–Arena Simulation | Rockwell Automation Arena® suffers from a stack-based buffer overflow vulnerability. The specific flaw exists within the parsing of DOE files. Local attackers are able to exploit this issue to potentially execute arbitrary code on affected installations of Arena®. Exploiting the vulnerability requires opening a malicious DOE file. | 2025-11-14 | not yet calculated | CVE-2025-11918 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1763.html |
| NetScaler–ADC | Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | 2025-11-11 | not yet calculated | CVE-2025-12101 | https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695486 |
| floragunn–Search Guard FLX | In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. | 2025-11-14 | not yet calculated | CVE-2025-12149 | https://search-guard.com/cve-advisory/ https://docs.search-guard.com/latest/changelog-searchguard-flx-3_1_3 https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_0 |
| Google Cloud–Looker | A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.192+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ | 2025-11-10 | not yet calculated | CVE-2025-12155 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| AlgoSec–Firewall Analyzer | Improper Limitation of a Pathname ‘Path Traversal’) vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection. This issue affects Algosec Firewall Analyzer: A33.0 (up to build 320), A33.10 (up to build 210). | 2025-11-12 | not yet calculated | CVE-2025-12382 | https://techdocs.algosec.com/en/cves/Content/tech-notes/cves/cve-2025-12382.htm |
| Google Cloud–Looker Studio | A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner’s permissions. The vulnerability affected to reports with BigQuery as the data source. This vulnerability was patched on 21 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12397 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-28 |
| Google Cloud–Looker Studio | An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report. This vulnerability was patched on 21 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12405 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-29 |
| Google Cloud–Looker Studio | A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim’s permissions in BigQuery. This vulnerability was patched on 07 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12409 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-27 |
| Google–Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12428 | |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12429 | |
| Google–Chrome | Object lifecycle issue in Media in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12430 | |
| Google–Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12431 | |
| Google–Chrome | Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12432 | |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12433 | |
| Google–Chrome | Race in Storage in Google Chrome on Windows prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12434 | |
| Google–Chrome | Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12435 | |
| Google–Chrome | Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12436 | |
| Google–Chrome | Use after free in PageInfo in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12437 | |
| Google–Chrome | Use after free in Ozone in Google Chrome on Linux and ChromeOS prior to 142.0.7444.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12438 | |
| Google–Chrome | Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12439 | |
| Google–Chrome | Inappropriate implementation in Autofill in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12440 | |
| Google–Chrome | Out of bounds read in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12441 | |
| Google–Chrome | Out of bounds read in WebXR in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12443 | |
| Google–Chrome | Incorrect security UI in Fullscreen UI in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12444 | |
| Google–Chrome | Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12445 | |
| Google–Chrome | Incorrect security UI in SplitView in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12446 | |
| Google–Chrome | Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12447 | |
| Google–Chrome | Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12725 | |
| Google–Chrome | Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12726 | |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12727 | |
| Google–Chrome | Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12728 | |
| Google–Chrome | Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12729 | |
| HP Inc–HP Color LaserJet MFP M478-M479 series | Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server. | 2025-11-13 | not yet calculated | CVE-2025-12784 | https://support.hp.com/us-en/document/ish_13229161-13229183-16/hpsbpi04074 |
| HP Inc–HP Color LaserJet MFP M478-M479 series | Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server. | 2025-11-13 | not yet calculated | CVE-2025-12785 | https://support.hp.com/us-en/document/ish_13229161-13229183-16/hpsbpi04074 |
| NETGEAR–WAX610 | Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials. This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4. Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest. Fixed in: WAX610 firmware 11.8.0.10 or later. WAX610Y firmware 11.8.0.10 or later. | 2025-11-11 | not yet calculated | CVE-2025-12940 | https://www.netgear.com/support/product/wax610 https://www.netgear.com/support/product/wax610y https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR–R6260 | Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86. | 2025-11-11 | not yet calculated | CVE-2025-12942 | https://www.netgear.com/support/product/r6850 https://www.netgear.com/support/product/r6260 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR–RAX30 | Improper certificate validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router) allows attackers with the ability to intercept and tamper traffic destined to the device to execute arbitrary commands on the device. Devices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update to the latest. Fixed in: RAX30 firmware 1.0.14.108 or later. RAXE300 firmware 1.0.9.82 or later | 2025-11-11 | not yet calculated | CVE-2025-12943 | https://www.netgear.com/support/product/rax30 https://www.netgear.com/support/product/raxe300 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR–DGN2200v4 | Improper input validation in NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with direct network access to the device to potentially execute code on the device. Please check the firmware version and update to the latest. Fixed in: DGN2200v4 firmware 1.0.0.132 or later | 2025-11-11 | not yet calculated | CVE-2025-12944 | https://www.netgear.com/support/product/dgn2200v4 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| TYPO3–Extension “Modules” | Improper Authentication vulnerability in TYPO3 Extension “Modules” codingms/modules.This issue affects Extension “Modules”: before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | 2025-11-12 | not yet calculated | CVE-2025-12998 | https://typo3.org/security/advisory/typo3-ext-sa-2025-015 |
| Mozilla–Firefox | Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13012 | https://bugzilla.mozilla.org/show_bug.cgi?id=1991458 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla–Firefox | Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13013 | https://bugzilla.mozilla.org/show_bug.cgi?id=1991945 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla–Firefox | Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13014 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994241 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla–Firefox | Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13015 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994164 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla–Firefox | Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13016 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992130 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla–Firefox | Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13017 | https://bugzilla.mozilla.org/show_bug.cgi?id=1980904 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13018 | https://bugzilla.mozilla.org/show_bug.cgi?id=1984940 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla–Firefox | Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13019 | https://bugzilla.mozilla.org/show_bug.cgi?id=1988412 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla–Firefox | Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13020 | https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13021 | https://bugzilla.mozilla.org/show_bug.cgi?id=1986431 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13022 | https://bugzilla.mozilla.org/show_bug.cgi?id=1988488 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13023 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992032 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13024 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992902 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13025 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994022 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13026 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13027 | Memory safety bugs fixed in Firefox 145 and Thunderbird 145 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-12 | not yet calculated | CVE-2025-13042 | |
| Google–Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2025-13097 | |
| Google–Chrome | Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2025-13102 | |
| Google–Chrome | Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2025-13107 | |
| silentmatt–expr-eval | npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue. | 2025-11-14 | not yet calculated | CVE-2025-13204 | https://www.npmjs.com/package/expr-eval-fork https://github.com/silentmatt/expr-eval https://github.com/jorenbroekema/expr-eval https://www.huntr.dev/bounties/1-npm-expr-eval/ https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py https://github.com/silentmatt/expr-eval/pull/252/files https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py |
| Grafana Labs–Grafana Snowflake Datasource Plugin | When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1. | 2025-11-11 | not yet calculated | CVE-2025-3717 | https://grafana.com/security/security-advisories/cve-2025-3717/ |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean “no surface”, unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to handle null objects. Make sure that we validate not only the identifier (via the vmw_cmd_res_check) but also check that the actual resource exists before trying to do something with it. Fixes unchecked null-ptr reference in the snooping code. | 2025-11-12 | not yet calculated | CVE-2025-40110 | https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523 https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964 https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely. | 2025-11-12 | not yet calculated | CVE-2025-40111 | https://git.kernel.org/stable/c/1822e5287b7dfa59d0af966756ebf1dc652b60ee https://git.kernel.org/stable/c/fb7165e5f3b3b10721ff70553583ad12e90e447a https://git.kernel.org/stable/c/4c918f9d1ccccc0e092f43dcb2d8266f54d7340b https://git.kernel.org/stable/c/9a8eaca539708ca532747f606d231f70e684e8ca https://git.kernel.org/stable/c/867bda5d95d36f10da398fd4409e21c7002b2332 https://git.kernel.org/stable/c/655a2f29bfc21105c80bf8a7d7aafa6eca8b4496 https://git.kernel.org/stable/c/65608e991c2d771c13404e5c7ae122ac3c3357a4 https://git.kernel.org/stable/c/dfe1323ab3c8a4dd5625ebfdba44dc47df84512a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40112 | https://git.kernel.org/stable/c/05440320ea3e249d5f984918f2bf51210c1a7c03 https://git.kernel.org/stable/c/7823fc4d8ab5e57f8db7806ff2530c03c166c4bb https://git.kernel.org/stable/c/37547d8e6eba87507279ee3dfddfd9dc46335454 https://git.kernel.org/stable/c/a365ee556e45f780ee322b349a06efdad0c1458f https://git.kernel.org/stable/c/8cdeb5e482d3fdce7e825444b6ca3865e24c0228 https://git.kernel.org/stable/c/a90ce516a73dbe087f9bf3dbf311301a58d125c6 https://git.kernel.org/stable/c/088c5098ec6d6b0396edfbf3dad3e81de8469c1c https://git.kernel.org/stable/c/0b67c8fc10b13a9090340c5f8a37d308f4e1571c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware and the DTB. The same applies for the “lite” firmware loaded by the boot firmware. When preparing to load the new ADSP firmware we shutdown the lite_pas_id for the main firmware, but we don’t shutdown the corresponding lite pas_id for the DTB. The fact that we’re leaving it “running” forever becomes obvious if you try to reuse (or just access) the memory region used by the “lite” firmware: The &adsp_boot_mem is accessible, but accessing the &adsp_boot_dtb_mem results in a crash. We don’t support reusing the memory regions currently, but nevertheless we should not keep part of the lite firmware running. Fix this by adding the lite_dtb_pas_id and shutting it down as well. We don’t have a way to detect if the lite firmware is actually running yet, so ignore the return status of qcom_scm_pas_shutdown() for now. This was already the case before, the assignment to “ret” is not used anywhere. | 2025-11-12 | not yet calculated | CVE-2025-40113 | https://git.kernel.org/stable/c/ee150acd273aded01a726ce39b1f6128200799e6 https://git.kernel.org/stable/c/142964960c7c35de5c5f7bdd61c32699de693630 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] <TASK> [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2025-11-12 | not yet calculated | CVE-2025-40115 | https://git.kernel.org/stable/c/b3a6d153861d0f29b80882470d14aafb8d687dc2 https://git.kernel.org/stable/c/4e1442bae50ed633c2fe8058f47cd79b4ad88b9b https://git.kernel.org/stable/c/a89253eb4e648deace48a4e38996afd182eb95e3 https://git.kernel.org/stable/c/fa153fb40c61f8ca01237427c97a0b93ba32c403 https://git.kernel.org/stable/c/6459dba4f35017448535a799cf699d5205eb5489 https://git.kernel.org/stable/c/1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62 https://git.kernel.org/stable/c/970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8 https://git.kernel.org/stable/c/1703fe4f8ae50d1fb6449854e1fcaed1053e3a14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it. | 2025-11-12 | not yet calculated | CVE-2025-40116 | https://git.kernel.org/stable/c/89838fe5c6c010ff8d3924f22afd9c18c5c95310 https://git.kernel.org/stable/c/3facf69a735e730ae36387f18780fe420708aa91 https://git.kernel.org/stable/c/e0e0ce06f3571be9b26790e4df56ba37b1de8543 https://git.kernel.org/stable/c/3723c3dda1cc82c9bbca08fcbd46705a361bfd56 https://git.kernel.org/stable/c/b0439e3762ac9ea580f714e1504a1827d1ad32f5 https://git.kernel.org/stable/c/e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc https://git.kernel.org/stable/c/b682ce44bf20ada752a2f6ce70d5a575c56f6a35 https://git.kernel.org/stable/c/186e8f2bdba551f3ae23396caccd452d985c23e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() Commit eefb83790a0d (“misc: pci_endpoint_test: Add doorbell test case”) added NO_BAR (-1) to the pci_barno enum which, in practical terms, changes the enum from an unsigned int to a signed int. If the user passes a negative number in pci_endpoint_test_ioctl() then it results in an array underflow in pci_endpoint_test_bar(). | 2025-11-12 | not yet calculated | CVE-2025-40117 | https://git.kernel.org/stable/c/6df3687922570f753574c40b35e83b26b32292d0 https://git.kernel.org/stable/c/1ad82f9db13d85667366044acdfb02009d576c5a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (“scsi: pm80xx: Set phy_attached to zero when device is gone”) UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type ‘pm8001_phy [16]’ on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached. | 2025-11-12 | not yet calculated | CVE-2025-40118 | https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493 https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566 https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582 https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628 https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585 https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy(). | 2025-11-12 | not yet calculated | CVE-2025-40119 | https://git.kernel.org/stable/c/00110f3cfc9b34b2dfee2a6c9e55a0ae6df125ae https://git.kernel.org/stable/c/3c3fac6bc0a9c00dbe65d8dc0d3a282afe4d3188 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (…/power/control – pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before. | 2025-11-12 | not yet calculated | CVE-2025-40120 | https://git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010c https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e https://git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64 https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11 https://git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4 https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed. | 2025-11-12 | not yet calculated | CVE-2025-40121 | https://git.kernel.org/stable/c/bff827b0d507e52b23efab9f67c232a4f037ab2c https://git.kernel.org/stable/c/64a36a7032082b4c330ce081acb6efb99246020e https://git.kernel.org/stable/c/95e29db33b5f73218ae08ebb48c61c9a8d28e2ff https://git.kernel.org/stable/c/2204e582b4eea872e1e7a5c90edcb84b928c68b0 https://git.kernel.org/stable/c/f197894de2f4ef46c7d53827d9df294b75c35e13 https://git.kernel.org/stable/c/fdf99978a6480e14405212472b6c747e0fa43bed https://git.kernel.org/stable/c/c60f269c123210a6846d6d1367de0eaa402c10b0 https://git.kernel.org/stable/c/4336efb59ef364e691ef829a73d9dbd4d5ed7c7b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error When running perf_fuzzer on PTL, sometimes the below “unchecked MSR access error” is seen when accessing IA32_PMC_x_CFG_B MSRs. [ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30) [ 55.611280] Call Trace: [ 55.611282] <TASK> [ 55.611284] ? intel_pmu_config_acr+0x87/0x160 [ 55.611289] intel_pmu_enable_acr+0x6d/0x80 [ 55.611291] intel_pmu_enable_event+0xce/0x460 [ 55.611293] x86_pmu_start+0x78/0xb0 [ 55.611297] x86_pmu_enable+0x218/0x3a0 [ 55.611300] ? x86_pmu_enable+0x121/0x3a0 [ 55.611302] perf_pmu_enable+0x40/0x50 [ 55.611307] ctx_resched+0x19d/0x220 [ 55.611309] __perf_install_in_context+0x284/0x2f0 [ 55.611311] ? __pfx_remote_function+0x10/0x10 [ 55.611314] remote_function+0x52/0x70 [ 55.611317] ? __pfx_remote_function+0x10/0x10 [ 55.611319] generic_exec_single+0x84/0x150 [ 55.611323] smp_call_function_single+0xc5/0x1a0 [ 55.611326] ? __pfx_remote_function+0x10/0x10 [ 55.611329] perf_install_in_context+0xd1/0x1e0 [ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10 [ 55.611333] __do_sys_perf_event_open+0xa76/0x1040 [ 55.611336] __x64_sys_perf_event_open+0x26/0x30 [ 55.611337] x64_sys_call+0x1d8e/0x20c0 [ 55.611339] do_syscall_64+0x4f/0x120 [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e On PTL, GP counter 0 and 1 doesn’t support auto counter reload feature, thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR which requires to enable auto counter reload on GP counter 0. The root cause of causing this issue is the check for auto counter reload (ACR) counter mask from user space is incorrect in intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter mask from user space could be set into hw.config1 and then written into CFG_B MSRs and trigger the MSR access warning. e.g., User may create a perf event with ACR counter mask (config2=0xcb), and there is only 1 event created, so “cpuc->n_events” is 1. The correct check condition should be “i + idx >= cpuc->n_events” instead of “i + idx > cpuc->n_events” (it looks a typo). Otherwise, the counter mask would traverse twice and an invalid “cpuc->assign[1]” bit (bit 0) is set into hw.config1 and cause MSR accessing error. Besides, also check if the ACR counter mask corresponding events are ACR events. If not, filter out these counter mask. If a event is not a ACR event, it could be scheduled to an HW counter which doesn’t support ACR. It’s invalid to add their counter index in ACR counter mask. Furthermore, remove the WARN_ON_ONCE() since it’s easily triggered as user could set any invalid ACR counter mask and the warning message could mislead users. | 2025-11-12 | not yet calculated | CVE-2025-40122 | https://git.kernel.org/stable/c/c6cca4213b618c92e4972919ee568f0fb87313b1 https://git.kernel.org/stable/c/43796f30507802d93ead2dc44fc9637f34671a89 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel’s BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB’s expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md’s egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls. The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs’ expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT. In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible(). Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue. | 2025-11-12 | not yet calculated | CVE-2025-40123 | https://git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8 https://git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32 https://git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a https://git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923ad https://git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40124 | https://git.kernel.org/stable/c/fdd43fe6d286f27b826572457a89c926f97e2d3a https://git.kernel.org/stable/c/1198077606aeffb102587c6ea079ce99641c99d4 https://git.kernel.org/stable/c/1857cdca12c4aff58bf26a7005a4d02850c29927 https://git.kernel.org/stable/c/91eda032eb16e5d2be27c95584665bc555bb5a90 https://git.kernel.org/stable/c/dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e https://git.kernel.org/stable/c/5ef9c94d7110e90260c06868cf1dcf899b9f25ee https://git.kernel.org/stable/c/e50377c6b3f278c9f3ef017ffce17f5fcc9dace4 https://git.kernel.org/stable/c/47b49c06eb62504075f0f2e2227aee2e2c2a58b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove ‘nr_tags’, no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it. | 2025-11-12 | not yet calculated | CVE-2025-40125 | https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898 https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6 https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911 https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731 https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032 https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40126 | https://git.kernel.org/stable/c/0bf3dc3a2156f1c5ddaba4b85d09767874634114 https://git.kernel.org/stable/c/41c18baee66134e6ef786eb075c1b6adb22432b0 https://git.kernel.org/stable/c/59424dc0d0e044b2eb007686a4724ddd91d57db5 https://git.kernel.org/stable/c/9b137f277cc3297044aabd950f589e505d30104c https://git.kernel.org/stable/c/674ff598148a28bae0b5372339de56f2abf0b1d1 https://git.kernel.org/stable/c/7de3a75bbc8465d816336c74d50109e73501efab https://git.kernel.org/stable/c/57c278500fce3cd4e1c540700c0b05426a958393 https://git.kernel.org/stable/c/4fba1713001195e59cfc001ff1f2837dab877efb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa – fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+) | 2025-11-12 | not yet calculated | CVE-2025-40127 | https://git.kernel.org/stable/c/692a04a1e0cde1d80a33df0078c755cf02cd7268 https://git.kernel.org/stable/c/d76b099011fa056950f63d05ebb6160991242f6a https://git.kernel.org/stable/c/eec7e0e19c1fa75dc65e25aa6a21ef24a03849af https://git.kernel.org/stable/c/f4238064379a91e71a9c258996acac43c50c2094 https://git.kernel.org/stable/c/2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2 https://git.kernel.org/stable/c/55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2 https://git.kernel.org/stable/c/612b1dfeb414dfa780a6316014ceddf9a74ff5c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. | 2025-11-12 | not yet calculated | CVE-2025-40129 | https://git.kernel.org/stable/c/81cec07d303186d0d8c623ef8b5ecd3b81e94cf6 https://git.kernel.org/stable/c/affc03d44921f493deaae1d33151e3067a6f9f8f https://git.kernel.org/stable/c/ab9a70cd2386a0d70c164b0905dd66bc9af52e77 https://git.kernel.org/stable/c/6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the ‘pm_qos_enabled’ flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A typical race condition call trace is: [Thread A] ufshcd_pm_qos_exit() –> cpu_latency_qos_remove_request() –> cpu_latency_qos_apply(); –> pm_qos_update_target() –> plist_del <–(1) delete plist node –> memset(req, 0, sizeof(*req)); –> hba->pm_qos_enabled = false; [Thread B] ufshcd_devfreq_target –> ufshcd_devfreq_scale –> ufshcd_scale_clks –> ufshcd_pm_qos_update <–(2) pm_qos_enabled is true –> cpu_latency_qos_update_request –> pm_qos_update_target –> plist_del <–(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads. | 2025-11-12 | not yet calculated | CVE-2025-40130 | https://git.kernel.org/stable/c/d9df61afb8d23c475f1be3c714da2c34c156ab01 https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because rxcb->peer_id is not updated with a valid value. This is expected in monitor mode, where RX frames bypass the regular RX descriptor path that typically sets rxcb->peer_id. As a result, the peer is NULL, and link_id and link_valid fields in the RX status are not populated. This leads to a WARN_ON in mac80211 when it receives data frame from an associated station with invalid link_id. Fix this potential issue by using ppduinfo->peer_id, which holds the correct peer id for the received frame. This ensures that the peer is correctly found and the associated link metadata is updated accordingly. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-11-12 | not yet calculated | CVE-2025-40131 | https://git.kernel.org/stable/c/da64eb2da76ce5626238a951fdf3e81810454427 https://git.kernel.org/stable/c/7ca61ed8b3f3fc9a7decd68039cb1d7d1238c566 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar is not NULL before calling it. The original code assumed that if include_sidecar is true, the codec on that link has an add_sidecar callback. But there could be other codecs on the same link that do not have an add_sidecar callback. | 2025-11-12 | not yet calculated | CVE-2025-40132 | https://git.kernel.org/stable/c/aea038062edfca9c6e5ddcecd4611d5a80113b4e https://git.kernel.org/stable/c/a5416c0fc9e77b69f853dfb1e78bc05a7c06a789 https://git.kernel.org/stable/c/87cab86925b7fa4c1c977bc191ac549a3b23f0ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). mptcp_active_enable() is called from subflow_finish_connect(), which is icsk->icsk_af_ops->sk_rx_dst_set() and it’s not always under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let’s use __sk_dst_get() and dst_dev_rcu(). | 2025-11-12 | not yet calculated | CVE-2025-40133 | https://git.kernel.org/stable/c/ad16235c9d3ef7ec17c109ff39b7504f49d17072 https://git.kernel.org/stable/c/cc976ec9e38bb79409de3261ba1dbb6868e2a53e https://git.kernel.org/stable/c/893c49a78d9f85e4b8081b908fb7c407d018106a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences. | 2025-11-12 | not yet calculated | CVE-2025-40134 | https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98 https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6 https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4 https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. | 2025-11-12 | not yet calculated | CVE-2025-40135 | https://git.kernel.org/stable/c/f7f9e924f23684b4b23cd9f976cceab24a968e34 https://git.kernel.org/stable/c/9085e56501d93af9f2d7bd16f7fcfacdde47b99c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm – request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for physical function and a reserved interrupt for virtual function. However, the driver has not registered the reserved interrupt for virtual function. When allocating interrupts, the number of interrupts is allocated based on powers of two, which includes this interrupt. When the system enables GICv4 and the virtual function passthrough to the virtual machine, releasing the interrupt in the driver triggers a warning. The WARNING report is: WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4 Therefore, register a reserved interrupt for VF and set the IRQF_NO_AUTOEN flag to avoid that warning. | 2025-11-12 | not yet calculated | CVE-2025-40136 | https://git.kernel.org/stable/c/854da2b0df1654d63963d587b12fec6068d89643 https://git.kernel.org/stable/c/9228facb308157ac0bdd264b873187896f7a9c7a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can’t find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ————[ cut here ]———— kernel BUG at fs/inode.c:753! RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753 Call Trace: <TASK> evict+0x504/0x9c0 fs/inode.c:810 f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692 vfs_get_tree+0x8f/0x2b0 fs/super.c:1815 do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f During f2fs_evict_inode(), clear_inode() detects that we missed to truncate all page cache before destorying inode, that is because in below path, we will create page #0 in cache, but missed to drop it in error path, let’s fix it. – evict – f2fs_evict_inode – f2fs_truncate – f2fs_convert_inline_inode – f2fs_grab_cache_folio : create page #0 in cache – f2fs_convert_inline_folio : sanity check failed, return -EFSCORRUPTED – clear_inode detects that inode->i_data.nrpages is not zero | 2025-11-12 | not yet calculated | CVE-2025-40137 | https://git.kernel.org/stable/c/83a8e4efea022506a0e049e7206bdf8be9f78148 https://git.kernel.org/stable/c/a7b7ebdd7045a36454b3e388a2ecf50344fad9e6 https://git.kernel.org/stable/c/3b0c8908faa18cded84d64822882a830ab1f4d26 https://git.kernel.org/stable/c/9251a9e6e871cb03c4714a18efa8f5d4a8818450 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() syzbot reported a f2fs bug as below: Oops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)} RIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284 Call Trace: <TASK> f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline] f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436 __f2fs_remount fs/f2fs/super.c:2653 [inline] f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297 reconfigure_super+0x224/0x890 fs/super.c:1077 do_remount fs/namespace.c:3314 [inline] path_mount+0xd18/0xfe0 fs/namespace.c:4112 do_mount fs/namespace.c:4133 [inline] __do_sys_mount fs/namespace.c:4344 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4321 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref issue in strcmp(). The bug can be reproduced w/ below scripts: mkfs.f2fs -f /dev/vdb mount -t f2fs -o usrquota /dev/vdb /mnt/f2fs quotacheck -uc /mnt/f2fs/ umount /mnt/f2fs mount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs mount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs umount /mnt/f2fs So, before old_qname and new_qname comparison, we need to check whether they are all valid pointers, fix it. | 2025-11-12 | not yet calculated | CVE-2025-40138 | https://git.kernel.org/stable/c/3f3458852bbfe79c60f2412b8b04677b96688b6e https://git.kernel.org/stable/c/930a9a6ee8e7ffa20af4bffbfc2bbd21d83bf81c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let’s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst there. | 2025-11-12 | not yet calculated | CVE-2025-40139 | https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1 https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <– wakes up TX queue before URB is done } rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); <– double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks. | 2025-11-12 | not yet calculated | CVE-2025-40140 | https://git.kernel.org/stable/c/cce3c0e21cdd15bcba5c35d3af1700186de8f187 https://git.kernel.org/stable/c/1a08a37ac03d07a1608a1592791041cac979fbc3 https://git.kernel.org/stable/c/54f8ef1a970a8376e5846ed90854decf7c00555d https://git.kernel.org/stable/c/114e05344763a102a8844efd96ec06ba99293ccd https://git.kernel.org/stable/c/6394bade9daab8e318c165fe43bba012bf13cd8e https://git.kernel.org/stable/c/6053e47bbf212b93c051beb4261d7d5a409d0ce3 https://git.kernel.org/stable/c/9d72df7f5eac946f853bf49c428c4e87a17d91da https://git.kernel.org/stable/c/958baf5eaee394e5fd976979b0791a875f14a179 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. | 2025-11-12 | not yet calculated | CVE-2025-40141 | https://git.kernel.org/stable/c/eba6d787ec117a5d2c60f9644e0a39c18542b6be https://git.kernel.org/stable/c/5319145a07d8bf5b0782b25cb3115825689d42bb https://git.kernel.org/stable/c/80689777919f02328eb873769de4647c9dd3e371 https://git.kernel.org/stable/c/c92ad1a155ccfa38b87bd1d998287e1c0a24248d https://git.kernel.org/stable/c/9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock. The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired. Disable softirqs before the lock is acquired on PREEMPT_RT. | 2025-11-12 | not yet calculated | CVE-2025-40142 | https://git.kernel.org/stable/c/63ee96c7f47df239ee0a6e8108b6bfd8c98334ae https://git.kernel.org/stable/c/3969b6193cb7a45aa5fb4ec68f215e9e7f93d39a https://git.kernel.org/stable/c/9fc4a3da9a0259a0500848b5d8657918efde176b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a verifier_bug() call in maybe_exit_scc(). maybe_exit_scc() assumes that, when called for a state with insn_idx in some SCC, there should be an instance of struct bpf_scc_visit allocated for that SCC. Turns out the assumption does not hold for speculative execution paths. See example in the next patch. maybe_scc_exit() is called from update_branch_counts() for states that reach branch count of zero, meaning that path exploration for a particular path is finished. Path exploration can finish in one of three ways: a. Verification error is found. In this case, update_branch_counts() is called only for non-speculative paths. b. Top level BPF_EXIT is reached. Such instructions are never a part of an SCC, so compute_scc_callchain() in maybe_scc_exit() will return false, and maybe_scc_exit() will return early. c. A checkpoint is reached and matched. Checkpoints are created by is_state_visited(), which calls maybe_enter_scc(), which allocates bpf_scc_visit instances for checkpoints within SCCs. Hence, for non-speculative symbolic execution paths, the assumption still holds: if maybe_scc_exit() is called for a state within an SCC, bpf_scc_visit instance must exist. This patch removes the verifier_bug() call for speculative paths. | 2025-11-12 | not yet calculated | CVE-2025-40143 | https://git.kernel.org/stable/c/3861e7c4324aa20a632fb74eb3904114f6afdb57 https://git.kernel.org/stable/c/a3c73d629ea1373af3c0c954d41fd1af555492e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails, jumping to the common error path. Do not emit an extra error message since the allocator already warns on allocation failure. | 2025-11-12 | not yet calculated | CVE-2025-40144 | https://git.kernel.org/stable/c/972cbba5cd384bacdc2eb589776e1d0a9f42714f https://git.kernel.org/stable/c/bc8b56317ff83ef4bba89bda356b93978604694f https://git.kernel.org/stable/c/b808a3590c2884ca91316dbadbfcc1924f5893c7 https://git.kernel.org/stable/c/e4a1e3e88160f7d7a2c33e3db8844073ed6eaf97 https://git.kernel.org/stable/c/8aea9d512c65eed0dad98b8d65ce74fe77c01b34 https://git.kernel.org/stable/c/a9e6aa994917ee602798bbb03180a194b37865bb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure When devm_add_action_or_reset() fails, it calls the passed cleanup function. Hence the caller must not repeat that cleanup. Replace the “goto err_regulator_free” by the actual freeing, as there will never be a need again for a second user of this label. | 2025-11-12 | not yet calculated | CVE-2025-40145 | https://git.kernel.org/stable/c/77732c58fef6247b71493dc3997af0ec0aaad5c7 https://git.kernel.org/stable/c/ab81f2f79c683c94bac622aafafbe8232e547159 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is a long term problem, hence allocate memory before freezing queue and free memory after queue is unfreezed. [1] https://lore.kernel.org/all/0659ea8d-a463-47c8-9180-43c719e106eb@linux.ibm.com/ | 2025-11-12 | not yet calculated | CVE-2025-40146 | https://git.kernel.org/stable/c/8d26acf8477174d8ef690eb6affe13a630f586ae https://git.kernel.org/stable/c/b86433721f46d934940528f28d49c1dedb690df1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-throttle: fix access race during throttle policy activation On repeated cold boots we occasionally hit a NULL pointer crash in blk_should_throtl() when throttling is consulted before the throttle policy is fully enabled for the queue. Checking only q->td != NULL is insufficient during early initialization, so blkg_to_pd() for the throttle policy can still return NULL and blkg_to_tg() becomes NULL, which later gets dereferenced. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000156 … pc : submit_bio_noacct+0x14c/0x4c8 lr : submit_bio_noacct+0x48/0x4c8 sp : ffff800087f0b690 x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0 x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70 x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60 x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002 x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500 x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a Call trace: submit_bio_noacct+0x14c/0x4c8 verity_map+0x178/0x2c8 __map_bio+0x228/0x250 dm_submit_bio+0x1c4/0x678 __submit_bio+0x170/0x230 submit_bio_noacct_nocheck+0x16c/0x388 submit_bio_noacct+0x16c/0x4c8 submit_bio+0xb4/0x210 f2fs_submit_read_bio+0x4c/0xf0 f2fs_mpage_readpages+0x3b0/0x5f0 f2fs_readahead+0x90/0xe8 Tighten blk_throtl_activated() to also require that the throttle policy bit is set on the queue: return q->td != NULL && test_bit(blkcg_policy_throtl.plid, q->blkcg_pols); This prevents blk_should_throtl() from accessing throttle group state until policy data has been attached to blkgs. | 2025-11-12 | not yet calculated | CVE-2025-40147 | https://git.kernel.org/stable/c/6a0c394300a7b0c05504596685de8a46707171fc https://git.kernel.org/stable/c/bd9fd5be6bc0836820500f68fff144609fbd85a9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions The function dc_stream_set_cursor_attributes() currently dereferences the `stream` pointer and nested members `stream->ctx->dc->current_state` without checking for NULL. All callers of these functions, such as in `dcn30_apply_idle_power_optimizations()` and `amdgpu_dm_plane_handle_cursor_update()`, already perform NULL checks before calling these functions. Fixes below: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes() error: we previously assumed ‘stream’ could be null (see line 334) drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 327 bool dc_stream_program_cursor_attributes( 328 struct dc_stream_state *stream, 329 const struct dc_cursor_attributes *attributes) 330 { 331 struct dc *dc; 332 bool reset_idle_optimizations = false; 333 334 dc = stream ? stream->ctx->dc : NULL; ^^^^^^ The old code assumed stream could be NULL. 335 –> 336 if (dc_stream_set_cursor_attributes(stream, attributes)) { ^^^^^^ The refactor added an unchecked dereference. drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 313 bool dc_stream_set_cursor_attributes( 314 struct dc_stream_state *stream, 315 const struct dc_cursor_attributes *attributes) 316 { 317 bool result = false; 318 319 if (dc_stream_check_cursor_attributes(stream, stream->ctx->dc->current_state, attributes)) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here. This function used to check for if stream as NULL and return false at the start. Probably we should add that back. | 2025-11-12 | not yet calculated | CVE-2025-40148 | https://git.kernel.org/stable/c/01e793e7d4d402c473f1a61ca5824f086693be65 https://git.kernel.org/stable/c/bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let’s use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. | 2025-11-12 | not yet calculated | CVE-2025-40149 | https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407 https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4 Thread A Thread B – f2fs_expand_inode_data – f2fs_allocate_pinning_section – f2fs_gc_range – do_garbage_collect w/ segno #x – writepage – f2fs_allocate_data_block – new_curseg – allocate segno #x The root cause is: fallocate on pinning file may race w/ block allocation as above, result in do_garbage_collect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem. In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA). Change as below to fix this issue: – check whether current section is empty before gc – add sanity checks on do_garbage_collect() to avoid any race case, result in migrating segment used by log. – btw, it fixes misc issue in printed logs: “SSA and SIT” -> “SIT and SSA”. | 2025-11-12 | not yet calculated | CVE-2025-40150 | https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. This causes a oops when running bpf selftest: $ ./test_progs -a tracing_struct Oops[#1]: CPU -1 Unable to handle kernel paging request at virtual address 0000000000000018, era == 9000000085bef268, ra == 90000000844f3938 rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: 1-…0: (19 ticks this GP) idle=1094/1/0x4000000000000000 softirq=1380/1382 fqs=801 rcu: (detected by 0, t=5252 jiffies, g=1197, q=52 ncpus=4) Sending NMI from CPU 0 to CPUs 1: rcu: rcu_preempt kthread starved for 2495 jiffies! g1197 f0x0 RCU_GP_DOING_FQS(6) ->state=0x0 ->cpu=2 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 task_flags:0x208040 flags:0x00000800 Stack : 9000000100423e80 0000000000000402 0000000000000010 90000001003b0680 9000000085d88000 0000000000000000 0000000000000040 9000000087159350 9000000085c2b9b0 0000000000000001 900000008704a000 0000000000000005 00000000ffff355b 00000000ffff355b 0000000000000000 0000000000000004 9000000085d90510 0000000000000000 0000000000000002 7b5d998f8281e86e 00000000ffff355c 7b5d998f8281e86e 000000000000003f 9000000087159350 900000008715bf98 0000000000000005 9000000087036000 900000008704a000 9000000100407c98 90000001003aff80 900000008715c4c0 9000000085c2b9b0 00000000ffff355b 9000000085c33d3c 00000000000000b4 0000000000000000 9000000007002150 00000000ffff355b 9000000084615480 0000000007000002 … Call Trace: [<9000000085c2a868>] __schedule+0x410/0x1520 [<9000000085c2b9ac>] schedule+0x34/0x190 [<9000000085c33d38>] schedule_timeout+0x98/0x140 [<90000000845e9120>] rcu_gp_fqs_loop+0x5f8/0x868 [<90000000845ed538>] rcu_gp_kthread+0x260/0x2e0 [<900000008454e8a4>] kthread+0x144/0x238 [<9000000085c26b60>] ret_from_kernel_thread+0x28/0xc8 [<90000000844f20e4>] ret_from_kernel_thread_asm+0xc/0x88 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 2: NMI backtrace for cpu 2 skipped: idling at idle_exit+0x0/0x4 Reject it for now. | 2025-11-12 | not yet calculated | CVE-2025-40151 | https://git.kernel.org/stable/c/d1158559315143e11bfaabcd4b2bea98c7ed1be9 https://git.kernel.org/stable/c/e82406c7cbdd368c5459b8a45e118811d2ba0794 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses drm_gem_obj.gpuva.list, which is not initialized when the drm driver does not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms drm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam is set: [ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0 [ 9.523160] Mem abort info: [ 9.523161] ESR = 0x0000000096000006 [ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits [ 9.523165] SET = 0, FnV = 0 [ 9.523166] EA = 0, S1PTW = 0 [ 9.523167] FSC = 0x06: level 2 translation fault [ 9.523169] Data abort info: [ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000 [ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000 [ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP [ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT [ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024 [ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) [ 9.592973] pc : lookup_vma+0x28/0xe0 [msm] [ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm] [ 9.763632] sp : ffff800082dab460 [ 9.763666] Call trace: [ 9.763668] lookup_vma+0x28/0xe0 [msm] (P) [ 9.763688] get_vma_locked+0x2c/0x128 [msm] [ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm] [ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm] [ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm] [ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper] [ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper] [ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib] [ 9.763782] drm_client_register+0x58/0x9c [drm] [ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib] [ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib] [ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm] [ 9.763830] msm_drm_init+0x1a8/0x22c [msm] [ 9.763848] msm_drm_bind+0x30/0x3c [msm] [ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4 [ 9.919283] __component_add+0xa4/0x170 [ 9.919286] component_add+0x14/0x20 [ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm] [ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm] [ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus] [ 9.919341] really_probe+0xbc/0x298 [ 9.919345] __driver_probe_device+0x78/0x12c [ 9.919348] driver_probe_device+0x40/0x160 [ 9.919350] __driver_attach+0x94/0x19c [ 9.919353] bus_for_each_dev+0x74/0xd4 [ 9.919355] driver_attach+0x24/0x30 [ 9.919358] bus_add_driver+0xe4/0x208 [ 9.919360] driver_register+0x60/0x128 [ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus] [ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20] [ 9.919370] do_one_initcall+0x6c/0x1b0 [ 9.919374] do_init_module+0x58/0x234 [ 9.919377] load_module+0x19cc/0x1bd4 [ 9.919380] init_module_from_file+0x84/0xc4 [ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc [ 9.919384] invoke_syscall+0x48/0x110 [ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8 [ 9.919393] do_el0_svc+0x20/0x2c [ 9.919396] el0_svc+0x34/0xf0 [ 9.919401] el0t_64_sync_handler+0xa0/0xe4 [ 9.919403] el0t_64_sync+0x198/0x19c [ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44) [ 9.919410] —[ end trace 0000000000000000 ]— Patchwork: https://patchwork.freedesktop.org/pa —truncated— | 2025-11-12 | not yet calculated | CVE-2025-40152 | https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9 https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer’s workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup – CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace: mte_clear_page_tags+0x14/0x24 set_huge_pte_at+0x25c/0x280 hugetlb_change_protection+0x220/0x430 change_protection+0x5c/0x8c mprotect_fixup+0x10c/0x294 do_mprotect_pkey.constprop.0+0x2e0/0x3d4 __arm64_sys_mprotect+0x24/0x44 invoke_syscall+0x50/0x160 el0_svc_common+0x48/0x144 do_el0_svc+0x30/0xe0 el0_svc+0x30/0xf0 el0t_64_sync_handler+0xc4/0x148 el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup. | 2025-11-12 | not yet calculated | CVE-2025-40153 | https://git.kernel.org/stable/c/30498c44c2a0b20f6833ed7d8fc3df901507f760 https://git.kernel.org/stable/c/5783485ab2be06be5312b26c8793526edc09123d https://git.kernel.org/stable/c/547e123e9d342a44c756446640ed847a8aeec611 https://git.kernel.org/stable/c/957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859 https://git.kernel.org/stable/c/964598e6f70a1be9fe675280bf16b4f96b0a6809 https://git.kernel.org/stable/c/4975c975ed9457a77953a26aeef85fdba7cf5498 https://git.kernel.org/stable/c/c6096f3947f68f96defedb8764b3b1ca4cf3469f https://git.kernel.org/stable/c/f52ce0ea90c83a28904c7cc203a70e6434adfecb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed. | 2025-11-12 | not yet calculated | CVE-2025-40154 | https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01 https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40 https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4 https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9 https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322 https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtable_walk_level+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: <TASK> pgtable_walk_level+0x88/0x150 domain_translation_struct_show.isra.0+0x2d9/0x300 dev_domain_translation_struct_show+0x20/0x40 seq_read_iter+0x12d/0x490 … Avoid walking the page table if TT is not 00b or 01b. | 2025-11-12 | not yet calculated | CVE-2025-40155 | https://git.kernel.org/stable/c/d8cf7b59c49f9118fa875462e18686cb6b131bb5 https://git.kernel.org/stable/c/df2bf759a0bdb71f13e327d7527260d09facc055 https://git.kernel.org/stable/c/fbe6070c73badca726e4ff7877320e6c62339917 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which would lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check that the pointer is valid. | 2025-11-12 | not yet calculated | CVE-2025-40156 | https://git.kernel.org/stable/c/9cc23e221f392304b7b8aad213812564ddf6517e https://git.kernel.org/stable/c/80eab6a9df7e1107dc334434dbacd05297703377 https://git.kernel.org/stable/c/44e32104cf7e670e3d683c97b52350d8fac23322 https://git.kernel.org/stable/c/24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0 https://git.kernel.org/stable/c/fc33bf0e097c6834646b98a7b3da0ae5b617f0f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nm_edac driver on some Intel Granite Rapids servers, a call trace may appear as follows: UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16 shift exponent -66 is negative … __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common] i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac] skx_register_mci+0x159/0x220 [skx_edac_common] i10nm_init+0xcb0/0x1ff0 [i10nm_edac] … This occurs because some BIOS may disable a memory controller if there aren’t any memory DIMMs populated on this memory controller. The DIMMMTR register of this disabled memory controller contains the invalid value ~0, resulting in the call trace above. Fix this call trace by skipping DIMM enumeration on a disabled memory controller. | 2025-11-12 | not yet calculated | CVE-2025-40157 | https://git.kernel.org/stable/c/8100b6c0f9089d5b156642b81270ce27fff17490 https://git.kernel.org/stable/c/1652f14cf3bef5a4baa232de954fc22bdcaa78fe https://git.kernel.org/stable/c/c20da24272f1ac79e9f9083bba577d049cd02bbb https://git.kernel.org/stable/c/2e6fe1bbefd9c059c3787d1c620fe67343a94dff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2(). | 2025-11-12 | not yet calculated | CVE-2025-40158 | https://git.kernel.org/stable/c/0393f85c3241c19ba8550f04a812e7d19f6b3082 https://git.kernel.org/stable/c/11709573cc4e48dc34c80fc7ab9ce5b159e29695 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit. desc->len close to “U32_MAX“ with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn’t happen with valid XSk applications, but can be used to perform attacks. Always promote desc->len to “u64“ first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is “u64“ already). bloat-o-meter reports a little growth of the code size: add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16 but hopefully this doesn’t hurt the performance much. | 2025-11-12 | not yet calculated | CVE-2025-40159 | https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980 https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don’t know which per_cpu(virq_to_irq) it will be in. | 2025-11-12 | not yet calculated | CVE-2025-40160 | https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7 https://git.kernel.org/stable/c/a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa https://git.kernel.org/stable/c/f81db055a793eca9d05f79658ff62adafb41d664 https://git.kernel.org/stable/c/07ce121d93a5e5fb2440a24da3dbf408fcee978e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix SGI cleanup on unbind The driver incorrectly determines SGI vs SPI interrupts by checking IRQ number < 16, which fails with dynamic IRQ allocation. During unbind, this causes improper SGI cleanup leading to kernel crash. Add explicit irq_type field to pdata for reliable identification of SGI interrupts (type-2) and only clean up SGI resources when appropriate. | 2025-11-12 | not yet calculated | CVE-2025-40161 | https://git.kernel.org/stable/c/1ee147efee68be00203b1fee6479911debb1edb2 https://git.kernel.org/stable/c/32bf7c6e01f5ba17a53ba236a770bd0274cefdf4 https://git.kernel.org/stable/c/bb160e791ab15b89188a7a19589b8e11f681bef3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference. | 2025-11-12 | not yet calculated | CVE-2025-40162 | https://git.kernel.org/stable/c/095d692e5997ece300c89f10d903d5230090e6a0 https://git.kernel.org/stable/c/a1cccbd19676fc36854535a7118ba2c27d0b84b3 https://git.kernel.org/stable/c/5726b68473f7153a7f6294185e5998b7e2a230a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e “drmgr -c cpu -r -q 1” WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (“sched/deadline: Fix dl_server getting stuck”) This happens since: – dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. – CPU goes offline and drmgr removes it from cpu_present_mask. – hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it] | 2025-11-12 | not yet calculated | CVE-2025-40163 | https://git.kernel.org/stable/c/ab6c0f158508bb16d483add70b73a73f95651c33 https://git.kernel.org/stable/c/ee6e44dfe6e50b4a5df853d933a96bdff5309e6e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx(). | 2025-11-12 | not yet calculated | CVE-2025-40164 | https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255 https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won’t be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ————[ cut here ]———— [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] —[ end trace 0000000000000000 ]— Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers. | 2025-11-12 | not yet calculated | CVE-2025-40165 | https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302 https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847 https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: ” [ 468.089581] —[ end trace 0000000000000000 ]— [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ————[ cut here ]———— [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] ” v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea) | 2025-11-12 | not yet calculated | CVE-2025-40166 | https://git.kernel.org/stable/c/2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6 https://git.kernel.org/stable/c/fa708415566bbe5361c935645107319f8edc8dc1 https://git.kernel.org/stable/c/9f64b3cd051b825de0a2a9f145c8e003200cedd5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 – flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: – INLINE_DATA: data stored directly in the inode – EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode. | 2025-11-12 | not yet calculated | CVE-2025-40167 | https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3 https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217 https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5 https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23 https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34 https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717 https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let’s use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. | 2025-11-12 | not yet calculated | CVE-2025-40168 | https://git.kernel.org/stable/c/d26e80f7fb62d77757b67a1b94e4ac756bc9c658 https://git.kernel.org/stable/c/235f81045c008169cc4e1955b4a64e118eebe61b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The ‘offset’ field in these instructions is a signed 16-bit integer. The existing check ‘insn->off > 1’ was intended to ensure the offset is either 0, or 1 for BPF_MOD/BPF_DIV. However, because ‘insn->off’ is signed, this check incorrectly accepts all negative values (e.g., -1). This commit tightens the validation by changing the condition to ‘(insn->off != 0 && insn->off != 1)’. This ensures that any value other than the explicitly permitted 0 and 1 is rejected, hardening the verifier against malformed BPF programs. | 2025-11-12 | not yet calculated | CVE-2025-40169 | https://git.kernel.org/stable/c/3bce44b344040e5eef3d64d38b157c15304c0aab https://git.kernel.org/stable/c/5017c302ca4b2a45149ad64e058fa2d5623c068f https://git.kernel.org/stable/c/21167bf70dbe400563e189ac632258d35eda38b5 https://git.kernel.org/stable/c/55c0ced59fe17dee34e9dfd5f7be63cbab207758 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). | 2025-11-12 | not yet calculated | CVE-2025-40170 | https://git.kernel.org/stable/c/a805729c0091073d8f0415cfa96c7acd1bc17a48 https://git.kernel.org/stable/c/99a2ace61b211b0be861b07fbaa062fca4b58879 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. | 2025-11-12 | not yet calculated | CVE-2025-40171 | https://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0 https://git.kernel.org/stable/c/a28112cc55013cd8cbd5d36b5115a5b851151bd9 https://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c https://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850 https://git.kernel.org/stable/c/7a619f8c869117ffed08365b377f66b7e1d941b4 https://git.kernel.org/stable/c/db5a5406fb7e5337a074385c7a3e53c77f2c1bd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred. | 2025-11-12 | not yet calculated | CVE-2025-40172 | https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725 https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (“net: ip_tunnel: prevent perpetual headroom growth”), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer. | 2025-11-12 | not yet calculated | CVE-2025-40173 | https://git.kernel.org/stable/c/566f8d5c8a443f2dd69c5460fdec43ed1c870c65 https://git.kernel.org/stable/c/11f6066af3bfb8149aa16c42c0b0c5ea5b199a94 https://git.kernel.org/stable/c/402b6985e872b4cf394bbbf33b503947a326a6cb https://git.kernel.org/stable/c/10fe967efe73c610e526ff7460581610633dee9c https://git.kernel.org/stable/c/48294a67863c9cfa367abb66bbf0ef6548ae124f https://git.kernel.org/stable/c/eeb4345488672584db4f8c20a1ae13a212ce31c4 https://git.kernel.org/stable/c/b6eb25d870f1a8ae571fd3da2244b71df547824b https://git.kernel.org/stable/c/21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ] | 2025-11-12 | not yet calculated | CVE-2025-40174 | https://git.kernel.org/stable/c/0fe5e3f5fb75c5d88dad24dece3ee75e9d87adeb https://git.kernel.org/stable/c/83b0177a6c4889b3a6e865da5e21b2c9d97d0551 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows – for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs. | 2025-11-12 | not yet calculated | CVE-2025-40175 | https://git.kernel.org/stable/c/2c84e91ef831d4fedb0b94670b3cfd1cc5f966a5 https://git.kernel.org/stable/c/a3f8c0a273120fd2638f03403e786c3de2382e72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. | 2025-11-12 | not yet calculated | CVE-2025-40176 | https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685 https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160 https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0 https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race. | 2025-11-12 | not yet calculated | CVE-2025-40177 | https://git.kernel.org/stable/c/646868e6962b14e25ae7462fdd1fb061b40c1f16 https://git.kernel.org/stable/c/48814afc7372f96a9584125c8508dffc88d1d378 https://git.kernel.org/stable/c/fd6e385528d8f85993b7bfc6430576136bb14c65 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=–) pc : __task_pid_nr_ns+0x74/0xd0 lr : __task_pid_nr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __task_pid_nr_ns+0x74/0xd0 … __handle_irq_event_percpu+0xd4/0x284 handle_irq_event+0x48/0xb0 handle_fasteoi_irq+0x160/0x2d8 generic_handle_domain_irq+0x44/0x60 gic_handle_irq+0x4c/0x114 call_on_irq_stack+0x3c/0x74 do_interrupt_handler+0x4c/0x84 el1_interrupt+0x34/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c account_kernel_stack+0x60/0x144 exit_task_stack_account+0x1c/0x80 do_exit+0x7e4/0xaf8 … get_signal+0x7bc/0x8d8 do_notify_resume+0x128/0x828 el0_svc+0x6c/0x70 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) —[ end trace 0000000000000000 ]— Kernel panic – not syncing: Oops: Fatal exception in interrupt | 2025-11-12 | not yet calculated | CVE-2025-40178 | https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 https://git.kernel.org/stable/c/c2d09d724856b6f82ab688f65fc1ce833bb56333 https://git.kernel.org/stable/c/c3b654021931dc806ba086c549e8756c3f204a67 https://git.kernel.org/stable/c/e10c36a771c5cc910abd9fe4aa9033ee32a47c38 https://git.kernel.org/stable/c/09d227c59d97efda7d5cc878a4335a6b2bb224c2 https://git.kernel.org/stable/c/2076b916bf41be48799d1443df0f8fc75d12ccd0 https://git.kernel.org/stable/c/a0212978af1825b37da0b453b94d9b0e5af11478 https://git.kernel.org/stable/c/006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files. | 2025-11-12 | not yet calculated | CVE-2025-40179 | https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995 https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107 https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9 https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921 https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859 https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. | 2025-11-12 | not yet calculated | CVE-2025-40180 | https://git.kernel.org/stable/c/cd0cbf2713f6e027ebba867cb7409ae345a31312 https://git.kernel.org/stable/c/ab96f08ecedd263ecaab9df8455bfb23b07fdcc2 https://git.kernel.org/stable/c/0aead8197fc1a85b0a89646e418feb49a564b029 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC via a forced variable MTRR range. In most KVM-based setups, legacy devices such as the HPET and TPM are enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and optionally a SystemMemory descriptor for an OperationRegion, e.g. if the device needs to be accessed via a Control Method. If a SystemMemory entry is present, then the kernel’s ACPI driver will auto-ioremap the region so that it can be accessed at will. However, the ACPI spec doesn’t provide a way to enumerate the memory type of SystemMemory regions, i.e. there’s no way to tell software that a region must be mapped as UC vs. WB, etc. As a result, Linux’s ACPI driver always maps SystemMemory regions using ioremap_cache(), i.e. as WB on x86. The dedicated device drivers however, e.g. the HPET driver and TPM driver, want to map their associated memory as UC or WC, as accessing PCI devices using WB is unsupported. On bare metal and non-CoCO, the conflicting requirements “work” as firmware configures the PCI hole (and other device memory) to be UC in the MTRRs. So even though the ACPI mappings request WB, they are forced to UC- in the kernel’s tracking due to the kernel properly handling the MTRR overrides, and thus are compatible with the drivers’ requested WC/UC-. With force WB MTRRs on SNP and TDX guests, the ACPI mappings get their requested WB if the ACPI mappings are established before the dedicated driver code attempts to initialize the device. E.g. if acpi_init() runs before the corresponding device driver is probed, ACPI’s WB mapping will “win”, and result in the driver’s ioremap() failing because the existing WB mapping isn’t compatible with the requested WC/UC-. E.g. when a TPM is emulated by the hypervisor (ignoring the security implications of relying on what is allegedly an untrusted entity to store measurements), the TPM driver will request UC and fail: [ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0 [ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12 Note, the ‘0x2’ and ‘0x0’ values refer to “enum page_cache_mode”, not x86’s memtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC). E.g. tracing mapping requests for TPM TIS yields: Mapping TPM TIS with req_type = 0 WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460 Modules linked in: CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025 RIP: 0010:memtype_reserve+0x2ab/0x460 __ioremap_caller+0x16d/0x3d0 ioremap_cache+0x17/0x30 x86_acpi_os_ioremap+0xe/0x20 acpi_os_map_iomem+0x1f3/0x240 acpi_os_map_memory+0xe/0x20 acpi_ex_system_memory_space_handler+0x273/0x440 acpi_ev_address_space_dispatch+0x176/0x4c0 acpi_ex_access_region+0x2ad/0x530 acpi_ex_field_datum_io+0xa2/0x4f0 acpi_ex_extract_from_field+0x296/0x3e0 acpi_ex_read_data_from_field+0xd1/0x460 acpi_ex_resolve_node_to_value+0x2ee/0x530 acpi_ex_resolve_to_value+0x1f2/0x540 acpi_ds_evaluate_name_path+0x11b/0x190 acpi_ds_exec_end_op+0x456/0x960 acpi_ps_parse_loop+0x27a/0xa50 acpi_ps_parse_aml+0x226/0x600 acpi_ps_execute_method+0x172/0x3e0 acpi_ns_evaluate+0x175/0x5f0 acpi_evaluate_object+0x213/0x490 acpi_evaluate_integer+0x6d/0x140 acpi_bus_get_status+0x93/0x150 acpi_add_single_object+0x43a/0x7c0 acpi_bus_check_add+0x149/0x3a0 acpi_bus_check_add_1+0x16/0x30 acpi_ns_walk_namespace+0x22c/0x360 acpi_walk_namespace+0x15c/0x170 acpi_bus_scan+0x1dd/0x200 acpi_scan_init+0xe5/0x2b0 acpi_init+0x264/0x5b0 do_one_i —truncated— | 2025-11-12 | not yet calculated | CVE-2025-40181 | https://git.kernel.org/stable/c/34ff466f74d0fe1db8956f9c245e2bb2c67f67bf https://git.kernel.org/stable/c/91ab8a21bda2d2d2842b6159ac060d9100433a3c https://git.kernel.org/stable/c/0dccbc75e18df85399a71933d60b97494110f559 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: skcipher – Fix reqsize handling Commit afddce13ce81d (“crypto: api – Add reqsize to crypto_alg”) introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs [1] instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in skcipher algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [2] Add proper set_reqsize calls in the skcipher init function to properly initialize reqsize for these algorithms in the framework. [1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/ [2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b | 2025-11-12 | not yet calculated | CVE-2025-40182 | https://git.kernel.org/stable/c/f041339d6b9a5a46437f0c48fc7279c92af7a513 https://git.kernel.org/stable/c/229c586b5e86979badb7cb0d38717b88a9e95ddd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first. | 2025-11-12 | not yet calculated | CVE-2025-40183 | https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79 https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598 https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09 https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89 https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8 https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix debug checking for np-guests using huge mappings When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then the debug checking in assert_host_shared_guest() fails on the launch of an np-guest. This WARN_ON() causes a panic and generates the stack below. In __pkvm_host_relax_perms_guest() the debug checking assumes the mapping is a single page but it may be a block map. Update the checking so that the size is not checked and just assumes the correct size. While we’re here make the same fix in __pkvm_host_mkyoung_guest(). Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 –name guest-128 Info: Removed ghost socket file “/.lkvm//guest-128.sock”. [ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088! [ 1406.521804] kvm [141]: nVHE call trace: [ 1406.521828] kvm [141]: [<ffff8000811676b4>] __kvm_nvhe_hyp_panic+0xb4/0xe8 [ 1406.521946] kvm [141]: [<ffff80008116d12c>] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c [ 1406.522049] kvm [141]: [<ffff80008116f068>] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104 [ 1406.522157] kvm [141]: [<ffff800081169df8>] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c [ 1406.522250] kvm [141]: [<ffff800081169f0c>] __kvm_nvhe_handle_trap+0x8c/0x1a8 [ 1406.522333] kvm [141]: [<ffff8000811680fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4 [ 1406.522454] kvm [141]: —[ end nVHE call trace ]— [ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000 [ 1406.522554] Kernel panic – not syncing: HYP panic: [ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 [ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 [ 1406.522554] VCPU:0000000000000000 [ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT [ 1406.523485] Hardware name: FVP Base RevC (DT) [ 1406.523566] Call trace: [ 1406.523629] show_stack+0x18/0x24 (C) [ 1406.523753] dump_stack_lvl+0xd4/0x108 [ 1406.523899] dump_stack+0x18/0x24 [ 1406.524040] panic+0x3d8/0x448 [ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c [ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c [ 1406.524500] handle_exit+0x60/0x17c [ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0 [ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc [ 1406.524919] __arm64_sys_ioctl+0xac/0x104 [ 1406.525067] invoke_syscall+0x48/0x10c [ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0 [ 1406.525322] do_el0_svc+0x1c/0x28 [ 1406.525441] el0_svc+0x38/0x120 [ 1406.525588] el0t_64_sync_handler+0x10c/0x138 [ 1406.525750] el0t_64_sync+0x1ac/0x1b0 [ 1406.525876] SMP: stopping secondary CPUs [ 1406.525965] Kernel Offset: disabled [ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f [ 1406.526130] Memory Limit: none [ 1406.959099] —[ end Kernel panic – not syncing: HYP panic: [ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 [ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 [ 1406.959099] VCPU:0000000000000000 ] | 2025-11-12 | not yet calculated | CVE-2025-40184 | https://git.kernel.org/stable/c/4f7af3d8a1177c807d1f2563c7c171700b020656 https://git.kernel.org/stable/c/2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: ice_adapter: release xa entry on adapter allocation failure When ice_adapter_new() fails, the reserved XArray entry created by xa_insert() is not released. This causes subsequent insertions at the same index to return -EBUSY, potentially leading to NULL pointer dereferences. Reorder the operations as suggested by Przemek Kitszel: 1. Check if adapter already exists (xa_load) 2. Reserve the XArray slot (xa_reserve) 3. Allocate the adapter (ice_adapter_new) 4. Store the adapter (xa_store) | 2025-11-12 | not yet calculated | CVE-2025-40185 | https://git.kernel.org/stable/c/7b9269de9815fc34d93dab90bd5169bacbe78e70 https://git.kernel.org/stable/c/794abb265de3e792167fe3ea0440c064c722bb84 https://git.kernel.org/stable/c/2db687f3469dbc5c59bc53d55acafd75d530b497 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: Don’t call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let’s remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ> | 2025-11-12 | not yet calculated | CVE-2025-40186 | https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7 https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32 https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. | 2025-11-12 | not yet calculated | CVE-2025-40187 | https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62 https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928 https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447 https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73 https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035 https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The ‘enable’ register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. | 2025-11-12 | not yet calculated | CVE-2025-40188 | https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221 https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444 https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25 https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994 https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Syzbot reported read of uninitialized variable BUG with following call stack. lan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout ===================================================== BUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] BUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] BUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766 lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707 Local variable sig.i.i created at: lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766 The function lan78xx_read_raw_eeprom failed to properly propagate EEPROM read timeout errors (-ETIMEDOUT). In the fallthrough path, it first attempted to restore the pin configuration for LED outputs and then returned only the status of that restore operation, discarding the original timeout error. As a result, callers could mistakenly treat the data buffer as valid even though the EEPROM read had actually timed out with no data or partial data. To fix this, handle errors in restoring the LED pin configuration separately. If the restore succeeds, return any prior EEPROM timeout error correctly to the caller. | 2025-11-12 | not yet calculated | CVE-2025-40189 | https://git.kernel.org/stable/c/a72a7c4f675080a324d4c2167bd2314d968279f1 https://git.kernel.org/stable/c/49bdb63ff64469a6de8ea901aef123c75be9bbe7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn. | 2025-11-12 | not yet calculated | CVE-2025-40190 | https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002 https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8 https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631 https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278 https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943 https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd process ref leaking when userptr unmapping kfd_lookup_process_by_pid hold the kfd process reference to ensure it doesn’t get destroyed while sending the segfault event to user space. Calling kfd_lookup_process_by_pid as function parameter leaks the kfd process refcount and miss the NULL pointer check if app process is already destroyed. | 2025-11-12 | not yet calculated | CVE-2025-40191 | https://git.kernel.org/stable/c/60f6112fc9b3ba0eae519f10702c0c13bab45742 https://git.kernel.org/stable/c/58e6fc2fb94f0f409447e5d46cf6a417b6397fbc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “ipmi: fix msg stack when IPMI is disconnected” This reverts commit c608966f3f9c2dca596967501d00753282b395fc. This patch has a subtle bug that can cause the IPMI driver to go into an infinite loop if the BMC misbehaves in a certain way. Apparently certain BMCs do misbehave this way because several reports have come in recently about this. | 2025-11-12 | not yet calculated | CVE-2025-40192 | https://git.kernel.org/stable/c/f4aab940ae9eb3ba32e5332b35703673f00d7f37 https://git.kernel.org/stable/c/b9cc7155e65f6feca51bfedd543b9bd300e2be2b https://git.kernel.org/stable/c/8cf5c24533b8058910fcb83a25a9cf0306383780 https://git.kernel.org/stable/c/5d09ee1bec870263f4ace439402ea840503b503b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 (“netdevsim: prevent bad user input in nsim_dev_health_break_write()”) | 2025-11-12 | not yet calculated | CVE-2025-40193 | https://git.kernel.org/stable/c/f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf https://git.kernel.org/stable/c/151bd88859474cdaccc1e4c8b21fbf72dbba2ab4 https://git.kernel.org/stable/c/d381de7fd4cdc928ede96987dc64b133e6480dd6 https://git.kernel.org/stable/c/a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a https://git.kernel.org/stable/c/5d5f08fd0cd970184376bee07d59f635c8403f63 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later. | 2025-11-12 | not yet calculated | CVE-2025-40194 | https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9 https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851 https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4 https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3 https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092 https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. | 2025-11-12 | not yet calculated | CVE-2025-40195 | https://git.kernel.org/stable/c/2d68f8a7379d9c61005e982600c61948d4d019bd https://git.kernel.org/stable/c/99ae3e70a293834d0274c46a37120c71a24a4995 https://git.kernel.org/stable/c/6c7ca6a02f8f9549a438a08a23c6327580ecf3d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: quota: create dedicated workqueue for quota_release_work There is a kernel panic due to WARN_ONCE when panic_on_warn is set. This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to “events_unbound” queue which does not have WQ_MEM_RECLAIM flag. During f2fs balance “writeback” workqueue tries to flush quota_release_work causing kernel panic due to MEM_RECLAIM flag mismatch errors. This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag for work quota_release_work. ————[ cut here ]———— WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148 Call trace: check_flush_dependency+0x13c/0x148 __flush_work+0xd0/0x398 flush_delayed_work+0x44/0x5c dquot_writeback_dquots+0x54/0x318 f2fs_do_quota_sync+0xb8/0x1a8 f2fs_write_checkpoint+0x3cc/0x99c f2fs_gc+0x190/0x750 f2fs_balance_fs+0x110/0x168 f2fs_write_single_data_page+0x474/0x7dc f2fs_write_data_pages+0x7d0/0xd0c do_writepages+0xe0/0x2f4 __writeback_single_inode+0x44/0x4ac writeback_sb_inodes+0x30c/0x538 wb_writeback+0xf4/0x440 wb_workfn+0x128/0x5d4 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1b0 ret_from_fork+0x10/0x20 Kernel panic – not syncing: kernel: panic_on_warn set … | 2025-11-12 | not yet calculated | CVE-2025-40196 | https://git.kernel.org/stable/c/f846eacde280ecc3daedfe001580e3033565179e https://git.kernel.org/stable/c/f12039df1515d5daf7d92e586ece5cefeb39561b https://git.kernel.org/stable/c/8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0 https://git.kernel.org/stable/c/72b7ceca857f38a8ca7c5629feffc63769638974 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released. | 2025-11-12 | not yet calculated | CVE-2025-40197 | https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002 https://git.kernel.org/stable/c/64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d https://git.kernel.org/stable/c/5d327391f9fafeb0938be4fc538dd0bd54a0b2ef https://git.kernel.org/stable/c/8f52c7f38f0f2ee2afc331e6b873acba5e9490a8 https://git.kernel.org/stable/c/7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa https://git.kernel.org/stable/c/7db47e737128b3585ae679b709b85f3f44cd8750 https://git.kernel.org/stable/c/ac01416d477c2dc6016782635ae022f8cc634a29 https://git.kernel.org/stable/c/8cfc8cec1b4da88a47c243a11f384baefd092a50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. | 2025-11-12 | not yet calculated | CVE-2025-40198 | https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4 https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502 https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934 https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412 https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages. The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives. Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages. v2: – Make sure there’s at least 8 bits available and that the PAGE_OFFSET bit calculation doesn’t wrap | 2025-11-12 | not yet calculated | CVE-2025-40199 | https://git.kernel.org/stable/c/15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a https://git.kernel.org/stable/c/f62934cea32c8f7b11b747975d69bf5afe4264cf https://git.kernel.org/stable/c/95920c2ed02bde551ab654e9749c2ca7bc3100e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a “WARNING in ovl_copy_up_file” in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] | 2025-11-12 | not yet calculated | CVE-2025-40200 | https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7 https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408 https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66 https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321 https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810 https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812 https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4 https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don’t see a better fix for -stable. | 2025-11-12 | not yet calculated | CVE-2025-40201 | https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18 https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342 https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75 https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143 https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It’s a lot cleaner and safer. | 2025-11-12 | not yet calculated | CVE-2025-40202 | https://git.kernel.org/stable/c/f63723ca7d7623f9dae1990973cd158671f03c56 https://git.kernel.org/stable/c/348121b29594d42d1635648fd3ed31dfa25351d5 https://git.kernel.org/stable/c/53d6e403affbf6df2c859a0ea00ccfc1e72090ca https://git.kernel.org/stable/c/0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5 https://git.kernel.org/stable/c/b52da4054ee0bf9ecb44996f2c83236ff50b3812 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: listmount: don’t call path_put() under namespace semaphore Massage listmount() and make sure we don’t call path_put() under the namespace semaphore. If we put the last reference we’re fscked. | 2025-11-12 | not yet calculated | CVE-2025-40203 | https://git.kernel.org/stable/c/659874b7ee4976ad9ce476e07fd36bc67b3537f1 https://git.kernel.org/stable/c/9c80da26fda2fdcaac7f92b5908875b3108830ff https://git.kernel.org/stable/c/c1f86d0ac322c7e77f6f8dbd216c65d39358ffc0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2025-11-12 | not yet calculated | CVE-2025-40204 | https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617 https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77 https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209 https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0 https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405 https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data. | 2025-11-12 | not yet calculated | CVE-2025-40205 | https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3 https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47 https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224 https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) […] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip6_route+0x23/0x50 synproxy_send_tcp_ipv6+0x106/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 nft_synproxy_do_eval+0x263/0x310 nft_do_chain+0x5a8/0x5f0 [nf_tables nft_do_chain_inet+0x98/0x110 nf_hook_slow+0x43/0xc0 __ip6_local_out+0xf0/0x170 ip6_local_out+0x17/0x70 synproxy_send_tcp_ipv6+0x1a2/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 […] Implement objref and objrefmap expression validate functions. Currently, only NFT_OBJECT_SYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook. Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error: synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^ | 2025-11-12 | not yet calculated | CVE-2025-40206 | https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944 https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0 https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). | 2025-11-12 | not yet calculated | CVE-2025-40207 | https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711 https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7 https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857 https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00 https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa00000.video-codec: firmware download failed qcom-iris aa00000.video-codec: core init failed then: $ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind Triggers: genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow! ————[ cut here ]———— video_cc_mvs0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542 <snip> pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac <snip> Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> —[ end trace 0000000000000000 ]— ————[ cut here ]———— video_cc_mvs0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542 <snip> pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110 <snip> Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> —[ end trace 0000000000000000 ]— genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow! ————[ cut here ]———— gcc_video_axi0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542 <snip> pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac <snip> Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> ————[ cut here ]———— gcc_video_axi0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542 <snip> pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110 <snip> Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> —[ end trace 0000000000000000 ]— Skip deinit if initialization never succeeded. | 2025-11-12 | not yet calculated | CVE-2025-40208 | https://git.kernel.org/stable/c/7a0a77b936ff28f59c271172e81cefebf7b2b7a6 https://git.kernel.org/stable/c/fde38008fc4f43db8c17869491870df24b501543 |
| xCally–Omnichannel | Cross-site Scripting (XSS) vulnerability reflected in xCally’s Omnichannel v3.30.1. This vulnerability allowsan attacker to executed JavaScript code in the victim’s browser by sending them a malicious URL using the ‘failureMessage’ parameter in ‘/login’. This vulnerability can be exploited to steal sentitive user data, such as session cookies , or to perform actions on behalf of the user. | 2025-11-13 | not yet calculated | CVE-2025-40681 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-xcally-omnichannel |
| SOPlanning–SOPlanning | Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the ‘LOGOUT_REDIRECT’ parameter in ‘/soplanning/www/process/options.php’. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-10 | not yet calculated | CVE-2025-41001 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-soplanning |
| T-Innova DeporSite–DSuite 2025 | Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the ‘idUsuario’ parameter in ‘/ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos’, which could lead to the exposure or alteration os confidential data. | 2025-11-13 | not yet calculated | CVE-2025-41069 | https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-references-idor-deporsite-t-innova-deporsite |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘title’ in’/projects/save’. | 2025-11-11 | not yet calculated | CVE-2025-41101 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘title’ in ‘/events/save’. | 2025-11-11 | not yet calculated | CVE-2025-41102 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘reply_message’ in ‘/messages/reply’. | 2025-11-11 | not yet calculated | CVE-2025-41103 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘custom_field_1’ in ‘/estimate_requests/save_estimate_request’. | 2025-11-11 | not yet calculated | CVE-2025-41104 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘title’ in ‘/tickets/save’. | 2025-11-11 | not yet calculated | CVE-2025-41105 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch–RISE CRM Framework | HTML injection vulnerability found in Fairsketch’s RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter ‘first_name’ in ‘/clients/save_contact/’. | 2025-11-11 | not yet calculated | CVE-2025-41106 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| QDOCS–Smart Schoo | Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to ‘/online_admission’, wich affects the parameters ‘firstname’, ‘lastname’, ‘guardian_name’ and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details. | 2025-11-10 | not yet calculated | CVE-2025-41107 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-smart-school |
| Grafana Labs–Grafana Databricks Datasource Plugin | When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Databricks Datasource Plugin: from 1.12.1 before 1.12.0 | 2025-11-11 | not yet calculated | CVE-2025-41116 | https://grafana.com/security/security-advisories/cve-2025-41116/ |
| Apple–watchOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in watchOS 11.4, tvOS 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4. An app may be able to bypass ASLR. | 2025-11-12 | not yet calculated | CVE-2025-43205 | https://support.apple.com/en-us/122376 https://support.apple.com/en-us/122377 https://support.apple.com/en-us/122371 https://support.apple.com/en-us/122378 |
| Apple–Compressor | The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code. | 2025-11-13 | not yet calculated | CVE-2025-43515 | https://support.apple.com/en-us/125693 |
| Palo Alto Networks–Prisma Browser | An insufficient validation of an untrusted input vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to revert the browser’s security controls. | 2025-11-14 | not yet calculated | CVE-2025-4616 | https://security.paloaltonetworks.com/CVE-2025-4616 |
| Palo Alto Networks–Prisma Browser | An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin user to bypass the screenshot control feature of the browser. Browser self-protection should be enabled to mitigate this issue. | 2025-11-14 | not yet calculated | CVE-2025-4617 | https://security.paloaltonetworks.com/CVE-2025-4617 |
| Palo Alto Networks–Prisma Browser | A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser. Browser self-protection should be enabled to mitigate this issue. | 2025-11-14 | not yet calculated | CVE-2025-4618 | https://security.paloaltonetworks.com/CVE-2025-4618 |
| Palo Alto Networks–Cloud NGFW | A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. This issue is applicable to the PAN-OS software versions listed below on PA-Series firewalls, VM-Series firewalls, and Prisma® Access software. This issue does not affect Cloud NGFW. We have successfully completed the Prisma Access upgrade for all customers, with the exception of those facing issues such as conflicting maintenance windows. Remaining customers will be promptly scheduled for an upgrade through our standard upgrade process. | 2025-11-13 | not yet calculated | CVE-2025-4619 | https://security.paloaltonetworks.com/CVE-2025-4619 |
| n/a–n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 1 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47220 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| n/a–n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 2 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47221 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| n/a–n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 3 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47222 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| Combodo–iTop | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it. | 2025-11-10 | not yet calculated | CVE-2025-47286 | https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c |
| golang.org/x/crypto–golang.org/x/crypto/ssh/agent | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | 2025-11-13 | not yet calculated | CVE-2025-47913 | https://go.dev/cl/700295 https://go.dev/issue/75178 https://github.com/advisories/GHSA-hcg3-q754-cr77 https://pkg.go.dev/vuln/GO-2025-4116 |
| n/a–n/a | Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs | 2025-11-13 | not yet calculated | CVE-2025-52186 | https://hackerone.com/reports/3165242 https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c |
| n/a–n/a | Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the “generate report” functionality and open the report. | 2025-11-12 | not yet calculated | CVE-2025-52331 | https://www.rarlab.com/rarnew.htm https://gist.github.com/MarcinB44/2150484497c4b34aedf682c9091b14fa https://www.win-rar.com/whatsnew.html |
| Bitdefender–Endpoint Security Tools for Mac | An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | 2025-11-11 | not yet calculated | CVE-2025-5317 | https://www.bitdefender.com/support/security-advisories/improper-access-restriction-to-critical-folder-in-bitdefender-endpoint-security-tools-for-mac/ |
| n/a–n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | 2025-11-14 | not yet calculated | CVE-2025-54339 | https://desktopalert.net https://desktopalert.net/cve-2025-54339/ |
| n/a–n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is a Broken or Risky Cryptographic Algorithm. | 2025-11-14 | not yet calculated | CVE-2025-54340 | https://desktopalert.net https://desktopalert.net/cve-2025-54340/ |
| n/a–n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies. | 2025-11-14 | not yet calculated | CVE-2025-54342 | https://desktopalert.net https://desktopalert.net/cve-2025-54342/ |
| n/a–n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | 2025-11-14 | not yet calculated | CVE-2025-54343 | https://desktopalert.net https://desktopalert.net/CVE-2025-54343/ |
| n/a–n/a | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. Sensitive Information is exposed to an Unauthorized Actor. | 2025-11-14 | not yet calculated | CVE-2025-54345 | https://desktopalert.net https://desktopalert.net/cve-2025-54345/ |
| n/a–n/a | A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information. | 2025-11-14 | not yet calculated | CVE-2025-54346 | https://desktopalert.net https://desktopalert.net/cve-2025-54346/ |
| n/a–n/a | A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information. | 2025-11-14 | not yet calculated | CVE-2025-54348 | https://desktopalert.net https://desktopalert.net/cve-2025-54348/ |
| n/a–n/a | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content. | 2025-11-14 | not yet calculated | CVE-2025-54559 | https://desktopalert.net https://desktopalert.net/cve-2025-54559/ |
| n/a–n/a | A Server-side Request Forgery vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Probing of internal infrastructure. | 2025-11-14 | not yet calculated | CVE-2025-54560 | https://desktopalert.net https://desktopalert.net/cve-2025-54560/ |
| n/a–n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | 2025-11-14 | not yet calculated | CVE-2025-54561 | https://desktopalert.net https://desktopalert.net/cve-2025-54561/ |
| n/a–n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace. | 2025-11-14 | not yet calculated | CVE-2025-54562 | https://desktopalert.net https://desktopalert.net/cve-2025-54562/ |
| n/a–n/a | A vulnerability was found in Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) with hardware version V03 and firmware version 1.4.2, which allows physical attackers to execute commands as root via script file with a specific name on a SD card. | 2025-11-13 | not yet calculated | CVE-2025-55810 | https://www.alagaai.com/ https://www.mgm-sp.com/privilege-escalation-vulnerability-in-alaga-home-security-wifi-camera |
| n/a–n/a | A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the ‘xmHarmony.asp’ endpoint. User-supplied input to the ‘TXTUSERID’ parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents. | 2025-11-12 | not yet calculated | CVE-2025-56385 | http://harmony.com http://wellsky.com https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection |
| n/a–n/a | A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | 2025-11-12 | not yet calculated | CVE-2025-57310 | https://gist.github.com/MMAKINGDOM/a6c2c8c70145cbea4e119525651e9a8d https://github.com/MMAKINGDOM/CVE-2025-57310 |
| Apache Software Foundation–Apache OFBiz | Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-59118 | https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-24.09.03.html https://issues.apache.org/jira/browse/OFBIZ-13292 https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt |
| ASUS–DSL-AC51 | An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the ‘Security Update for DSL Series Router’ section on the ASUS Security Advisory for more information. | 2025-11-13 | not yet calculated | CVE-2025-59367 | https://www.asus.com/security-advisory |
| n/a–n/a | Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields. | 2025-11-12 | not yet calculated | CVE-2025-59491 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| GNU Project–GNU libbmicrohttpd | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | 2025-11-10 | not yet calculated | CVE-2025-59777 | https://www.gnu.org/software/libmicrohttpd/ https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b https://jvn.jp/en/jp/JVN76719218/ |
| n/a–n/a | A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request. | 2025-11-12 | not yet calculated | CVE-2025-60645 | https://github.com/xuxueli/xxl-api/issues/64 https://gist.github.com/LockeTom/77fb982a49dee956101810bbefa09fb4 |
| n/a–n/a | A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2025-11-12 | not yet calculated | CVE-2025-60646 | https://github.com/xuxueli/xxl-api/issues/65 https://gist.github.com/LockeTom/0a02c0b2e2011abfbdf4e5fdbcc9b371 |
| n/a–n/a | A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit file. The vulnerability occurs because content read from this file is only partially validated for a prefix and then formatted using vsnprintf() before being executed with system(), allowing an attacker with write access to /var/system/linux_vlan_reinit to execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60671 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-823G/CVE-2025-60671.md |
| n/a–n/a | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the ‘SetDynamicDNSSettings’ functionality, where the ‘ServerAddress’ and ‘Hostname’ parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60672 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60672.md |
| n/a–n/a | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the ‘SetDMZSettings’ functionality, where the ‘IPAddress’ parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60673 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60673.md |
| D-Link–DIR-878A1 | A stack buffer overflow vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin in the rc binary’s USB storage handling module. The vulnerability occurs when the “Serial Number” field from a USB device is read via sscanf into a 64-byte stack buffer, while fgets reads up to 127 bytes, causing a stack overflow. An attacker with physical access or control over a USB device can exploit this vulnerability to potentially execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60674 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60674.md |
| D-Link– DIR-823G | A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60675 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-823G/CVE-2025-60675.md |
| D-Link–DIR-878 | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the ‘SetNetworkSettings’ functionality of prog.cgi, where the ‘IPAddress’ and ‘SubnetMask’ parameters are directly concatenated into shell commands executed via system(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60676 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60676.md |
| D-Link–DIR-816A2 | A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information. The vulnerability occurs because /proc/version is read into a 512-byte buffer and then concatenated using sprintf() into another 512-byte buffer containing a 29-byte constant. Input exceeding 481 bytes triggers a stack buffer overflow, allowing an attacker who can control /proc/version content to potentially execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60679 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-816/CVE-2025-60679.md |
| ToToLink–A720R Router | A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters. User-supplied ‘magicid’ and ‘url’ values are directly concatenated into shell commands and executed via system() without any sanitization or escaping. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60682 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60682.md |
| ToToLink–A720R Router | A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface reinitialization from ‘/var/system/linux_vlan_reinit’. Input is only partially validated by checking the prefix of interface names, and is concatenated into shell commands executed via system() without escaping. An attacker with write access to this file can execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60683 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60683.md |
| ToToLink–A1200GB Router | A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function). The web interface reads the “lang” parameter and constructs Help URL strings using sprintf() into fixed-size stack buffers without proper length validation. Maliciously crafted input can overflow these buffers, potentially leading to arbitrary code execution or memory corruption, without requiring authentication. | 2025-11-13 | not yet calculated | CVE-2025-60684 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60684.md |
| ToToLink–A720R Router | A stack buffer overflow exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary (sub_401EE0 function). The binary reads the /proc/stat file using fgets() into a local buffer and subsequently parses the line using sscanf() into a single-byte variable with the %s format specifier. Maliciously crafted /proc/stat content can overwrite adjacent stack memory, potentially allowing an attacker with filesystem write privileges to execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60685 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60685.md |
| ToToLink–A720R Router | A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, and NR1800X V9.1.0u.6681_B20230703). Both programs parse the contents of /proc/net/arp using sscanf() with “%s” format specifiers into fixed-size stack buffers without length validation. Specifically, one function writes user-controlled data into a single-byte buffer, and the other into adjacent small arrays without bounds checking. An attacker who controls the contents of /proc/net/arp can trigger memory corruption, leading to denial of service or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60686 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60686.md |
| ToToLink–LR1200GB Router | An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the “imei” parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60687 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60687.md |
| ToToLink–LR1200GB Router | A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (setDefResponse function). The binary reads the “IpAddress” parameter from a web request and copies it into a fixed-size stack buffer using strcpy() without any length validation. Maliciously crafted input can overflow the buffer, leading to potential arbitrary code execution or memory corruption, without requiring authentication. | 2025-11-13 | not yet calculated | CVE-2025-60688 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60688.md |
| Linksys–Linksys E1200 v2 | An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The vulnerability occurs because user-supplied CGI parameters (wl_ant, wl_ssid, wl_rate, ttcp_num, ttcp_ip, ttcp_size) are concatenated into system command strings without proper sanitization and executed via wl_exec_cmd. Successful exploitation allows remote attackers to execute arbitrary commands on the device without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60689 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60689.md |
| Linksys–Linksys E1200 v2 | A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to four user-supplied CGI parameters matching <parameter>_0~3 into a fixed-size buffer (a2) without bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60690 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60690.md |
| Linksys–Linksys E1200 v2 | A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The apply_cgi and block_cgi functions copy user-supplied input from the “url” CGI parameter into stack buffers (v36, v29) using sprintf without bounds checking. Because these buffers are allocated as single-byte variables, any non-empty input will trigger a buffer overflow. Remote attackers can exploit this vulnerability via crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60691 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60691.md |
| Linksys–Linksys E1200 v2 | A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The functions get_mac_from_ip and get_ip_from_mac use sscanf with overly permissive “%100s” format specifiers to parse entries from /proc/net/arp into fixed-size buffers (v6: 50 bytes, v7 sub-arrays: 50 bytes). This allows local attackers controlling the contents of /proc/net/arp to overflow stack buffers, leading to memory corruption, denial of service, or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60692 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60692.md |
| Linksys–Linksys E1200 v2 | A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60693 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60693.md |
| Linksys–Linksys E1200 v2 | A stack-based buffer overflow exists in the validate_static_route function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function improperly concatenates user-supplied CGI parameters (route_ipaddr_0~3, route_netmask_0~3, route_gateway_0~3) into fixed-size buffers (v6, v10, v14) without proper bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60694 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60694.md |
| Linksys–Linksys E7350 | A stack-based buffer overflow vulnerability exists in the mtk_dut binary of Linksys E7350 routers (Firmware 1.1.00.032). The function sub_4045A8 reads up to 256 bytes from /sys/class/net/%s/address into a local buffer and then copies it into caller-provided buffer a1 using strcpy without boundary checks. Since a1 is often allocated with significantly smaller sizes (20-32 bytes), local attackers controlling the contents of /sys/class/net/%s/address can trigger buffer overflows, leading to memory corruption, denial of service, or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60695 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E7350/CVE-2025-60695.md |
| Linksys–Linksys RE7000 | A stack-based buffer overflow vulnerability exists in the makeRequest.cgi binary of Linksys RE7000 routers (Firmware FW_v2.0.15_211230_1012). The arplookup function parses lines from /proc/net/arp using sscanf(“%16s … %18s …”), storing results into buffers v6 (12 bytes) and v7 (20 bytes). Since the format specifiers allow up to 16 and 18 bytes respectively, oversized input can overflow the buffers, resulting in stack corruption. Local attackers controlling /proc/net/arp contents can exploit this issue to cause denial of service or potentially execute arbitrary code. | 2025-11-13 | not yet calculated | CVE-2025-60696 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-RE700/CVE-2025-60696.md |
| D-Link–DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_4438A4` function in `prog.cgi` stores user-supplied DDNS parameters (`ServerAddress` and `Hostname`) in NVRAM via `nvram_safe_set`. These values are later retrieved in the `start_DDNS_ipv4` function of `rc` using `nvram_safe_get` and concatenated into DDNS shell commands executed via `twsystem()` without proper sanitization. Partial string comparison is performed but is insufficient to prevent command injection. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router’s web interface. | 2025-11-13 | not yet calculated | CVE-2025-60697 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/4.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60697.md |
| D-Link–DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_432F60` function in `prog.cgi` stores user-supplied `SetSysLogSettings/IPAddress` values in NVRAM via `nvram_safe_set(“SysLogRemote_IPAddress”, …)`. These values are later retrieved in the `sub_448DCC` function of `rc` using `nvram_safe_get` and concatenated into a shell command executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router’s web interface. | 2025-11-13 | not yet calculated | CVE-2025-60698 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/2.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60698.md |
| TOTOLINK–A950RG Router | A buffer overflow vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `global.so` binary. The `getSaveConfig` function retrieves the `http_host` parameter from user input via `websGetVar` and copies it into a fixed-size stack buffer (`v13`) using `strcpy()` without performing any length checks. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router’s web interface, potentially leading to arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60699 | https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/2.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/CVE-2025-60699.md |
| D-Link–DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries. The `sub_4455BC` function in `prog.cgi` stores user-supplied `SetDMZSettings/IPAddress` values in NVRAM via `nvram_safe_set(“dmz_ipaddr”, …)`. These values are later retrieved in the `DMZ_run` function of `librcm.so` using `nvram_safe_get` and concatenated into `iptables` shell commands executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router’s web interface. | 2025-11-13 | not yet calculated | CVE-2025-60700 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/3.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60700.md |
| D-Link–DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_433188` function in `prog.cgi` stores user-supplied email configuration parameters (`EmailFrom`, `EmailTo`, `SMTPServerAddress`, `SMTPServerPort`, `AccountName`) in NVRAM via `nvram_safe_set`. These values are later retrieved in the `sub_448FDC` function of `rc` using `nvram_safe_get` and concatenated into shell commands executed via `twsystem()` without sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router’s web interface. | 2025-11-13 | not yet calculated | CVE-2025-60701 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/1.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60701.md |
| TOTOLINK–A950RG Router | A command injection vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `system.so` binary. The `setDiagnosisCfg` function retrieves the `ipDoamin` parameter from user input via `websGetVar` and concatenates it directly into a `ping` system command executed via `CsteSystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router’s web interface. | 2025-11-13 | not yet calculated | CVE-2025-60702 | https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/1.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/CVE-2025-60702.md |
| n/a–BusyBox 1.3.7 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | 2025-11-10 | not yet calculated | CVE-2025-60876 | https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092 |
| Apache Software Foundation–Apache OFBiz | Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-61623 | https://issues.apache.org/jira/browse/OFBIZ-13295 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-24.09.03.html https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y |
| DataDog–datadog-agent | The Datadog Agent collects events and metrics from hosts and sends them to Datadog. A vulnerability within the Datadog Linux Host Agent versions 7.65.0 through 7.70.2 exists due to insufficient permissions being set on the `opt/datadog-agent/python-scripts/__pycache__` directory during installation. Code in this directory is only run by the Agent during Agent install/upgrades. This could allow an attacker with local access to modify files in this directory, which would then subsequently be run when the Agent is upgraded, resulting in local privilege escalation. This issue requires local access to the host and a valid low privilege account to be vulnerable. Note that this vulnerability only impacts the Linux Host Agent. Other variations of the Agent including the container, kubernetes, windows host and other agents are not impacted. Version 7.71.0 contains a patch for the issue. | 2025-11-12 | not yet calculated | CVE-2025-61667 | https://github.com/DataDog/datadog-agent/security/advisories/GHSA-6852-76c5-6cmg |
| GNU Project–GNU libbmicrohttpd | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | 2025-11-10 | not yet calculated | CVE-2025-62689 | https://www.gnu.org/software/libmicrohttpd/ https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b https://jvn.jp/en/jp/JVN76719218/ |
| SUSE–openSUSE | A Execution with Unnecessary Privileges vulnerability in lightdm-kde-greeter allows escalation from the service user to root.This issue affects lightdm-kde-greeter. before 6.0.4. | 2025-11-12 | not yet calculated | CVE-2025-62876 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62876 |
| Tenda–n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63147 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/5/1.md |
| Tenda–n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63149 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/3/1.md |
| Tenda–n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63152 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/4/1.md |
| TOTOLink–A7000R | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63153 | https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/A7000/6/1.md |
| TOTOLink–A7000R | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the addEffect parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2025-11-10 | not yet calculated | CVE-2025-63154 | https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/A7000/4/1.md |
| n/a–Open5GS 2.7.6 | In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service. | 2025-11-10 | not yet calculated | CVE-2025-63288 | https://github.com/open5gs/open5gs/issues/4087 https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5 |
| n/a–n/a | Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file | 2025-11-12 | not yet calculated | CVE-2025-63289 | https://www.linkedin.com/in/umanhonlengabriel https://medium.com/@sudosu01/information-disclosure-hardcoded-encryption-keys-fc375abf68a3 |
| n/a–Alteryx server 2022.1.1.42654 | When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys. | 2025-11-14 | not yet calculated | CVE-2025-63291 | https://help.alteryx.com/current/en/server/api-overview/alteryx-server-api-v3/server-api-configuration-and-authorization.html https://help.alteryx.com/current/en/server/api-overview.html https://aleksazatezalo.medium.com/alteryx-server-idor-advisory-782e3013ee38 |
| n/a–Tuya Smart Security Camera firmware v33.53.87 | KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD cards and, if /mnt/update.nor.sh is present, copies it to /tmp/net.sh and executes it as root. | 2025-11-10 | not yet calculated | CVE-2025-63296 | https://gist.github.com/t4e-3/082cdd0b7ee6b650c7aaae97fd4e016c https://github.com/t4e-3/CVE-2025-63296 |
| n/a–FiberHome | A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device’s factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction. | 2025-11-12 | not yet calculated | CVE-2025-63353 | https://github.com/hanianis/CVE-2025-63353 https://medium.com/@hanianis.bouzid/fiberhome-gpon-onu-model-hg6145f1-router-predictable-wifi-passwords-and-real-risks-d8e54da385d3 |
| n/a–n/a | A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor’s privilege level. Instead of downgrading from Machine-mode (M-mode) to Supervisor-mode (S-mode) as specified by the sstatus.SPP bit, the processor incorrectly remains in M-mode, leading to a critical privilege retention vulnerability. | 2025-11-10 | not yet calculated | CVE-2025-63384 | https://github.com/chipsalliance/rocket-chip.git https://github.com/107040503/RISC-V-Vulnerability-Disclosure_SRET |
| n/a–PyTorch v2.5, v2.7.1 | An issue was discovered in PyTorch v2.5 and v2.7.1. Omission of profiler.stop() can cause torch.profiler.profile (PythonTracer) to crash or hang during finalization, leading to a Denial of Service (DoS). | 2025-11-12 | not yet calculated | CVE-2025-63396 | https://github.com/Daisy2ang http://pytorch.com https://github.com/pytorch/pytorch https://github.com/pytorch/pytorch/issues/156563 |
| n/a–OneFlow v0.9.0 | Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. | 2025-11-10 | not yet calculated | CVE-2025-63397 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10666 |
| n/a–GroupOffice | An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php | 2025-11-13 | not yet calculated | CVE-2025-63406 | https://noahheraud.com/posts/CVE-2025-63406/ |
| n/a–CrushFTP 11.3.6 | Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | 2025-11-12 | not yet calculated | CVE-2025-63419 | https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851 https://github.com/MMAKINGDOM/CVE-2025-63419/ |
| Tenda –AX-3 v16.03.12.10 | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63455 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/6/1.md |
| Tenda –AX-1803 v1.0.0.1 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63456 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/3/1.md |
| Tenda –AX-1803 v1.0.0.1 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63457 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/1/1.md |
| n/a–n/a | The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability. The pat_number GET parameter is directly concatenated into SQL queries without proper sanitization, allowing authenticated attackers (doctor role) to execute arbitrary SQL queries. | 2025-11-10 | not yet calculated | CVE-2025-63497 | https://github.com/cristibtz/security-research/tree/main/rickxy-Hospital-Management-System https://github.com/cristibtz/security-research/blob/main/CVE-2025-63497/report.md |
| n/a–n/a | ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. | 2025-11-10 | not yet calculated | CVE-2025-63617 | https://github.com/ChangeYourWay/post/blob/main/ktg-mes.md https://gist.github.com/ChangeYourWay/8651679a2155269bccf520fcb34fc661 |
| n/a–n/a | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application’s message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user’s Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient’s browser context when the Inbox message is viewed. | 2025-11-12 | not yet calculated | CVE-2025-63645 | https://drive.google.com/drive/folders/1u2o2NWHzClSjsNzhtkk1QvaDGisAXs2v https://medium.com/@rudranshsinghrajpurohit/cve-2025-63645-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-8073ac4be5be |
| n/a–n/a | Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources. | 2025-11-12 | not yet calculated | CVE-2025-63666 | https://github.com/Remenis/CVE-2025-63666 |
| n/a–n/a | Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication. | 2025-11-12 | not yet calculated | CVE-2025-63667 | https://github.com/Remenis/Vatilon_evidence/releases/download/Evidence/Vatilon_vulnerability_evidence_2025.zip https://github.com/Remenis/CVE-2025-63667 |
| n/a–n/a | An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file. | 2025-11-10 | not yet calculated | CVE-2025-63678 | https://github.com/kasiasok/raports/blob/main/CMSMS%202.2.22%20_%20Raport%20092025.pdf |
| n/a–n/a | free5gc v4.1.0 and before is vulnerable to Buffer Overflow. When AMF receives an UplinkRANConfigurationTransfer NGAP message from a gNB, the AMF process crashes. | 2025-11-12 | not yet calculated | CVE-2025-63679 | https://github.com/free5gc/free5gc/issues/725 https://gist.github.com/DDGod2025/5483d94b028d7a0c111ca23844e8a94d |
| n/a–n/a | Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affects recent Nero BackItUp product lines (2019-2025 and earlier) and has been acknowledged by the vendor. | 2025-11-14 | not yet calculated | CVE-2025-63680 | https://github.com/PotatoHamm/Nero-Productline-Vulnerability |
| n/a–n/a | A heap corruption vulnerability exists in the Advantech TP-3250 printer driver’s DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes the output buffer size matches the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause denial of service through application crashes and potentially lead to code execution in user space. Local access is required to exploit this vulnerability. | 2025-11-14 | not yet calculated | CVE-2025-63701 | https://neurowinter.com/security/2025/10/08/Heap-Corruption-in-Advantech-TP-3250-Printer-Driver/ |
| n/a–n/a | A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the “Add Tasks” text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim’s browser. | 2025-11-10 | not yet calculated | CVE-2025-63709 | https://www.sourcecodester.com/php/17897/simple-do-list-system-using-php.html https://github.com/floccocam-cpu/CVE-Research-2025/tree/main/CVE-2025-63709 |
| n/a–n/a | The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim’s privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room. | 2025-11-10 | not yet calculated | CVE-2025-63710 | https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md |
| n/a–n/a | A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application’s user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts. | 2025-11-10 | not yet calculated | CVE-2025-63711 | https://www.sourcecodester.com/php/17514/client-database-management-system.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.md |
| n/a–n/a | Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection. | 2025-11-10 | not yet calculated | CVE-2025-63712 | https://www.sourcecodester.com/php/17883/web-based-product-alert-system.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63712/README4.md |
| n/a–n/a | SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | 2025-11-14 | not yet calculated | CVE-2025-63724 | https://deepstrike.io/blog/sql-injection-in-svx-portal-v-2-7A |
| n/a–n/a | Reflected Cross-Site Scripting (XSS) vulnerability in SVX Portal 2.7A via the id parameter to Recivers.php. | 2025-11-14 | not yet calculated | CVE-2025-63725 | https://deepstrike.io/blog/sql-injection-in-svx-portal-v-2-7A https://deepstrike.io/blog/reflected-xss-via-unescaped-attribute-context-in-svx-portal |
| n/a–n/a | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program. | 2025-11-14 | not yet calculated | CVE-2025-63744 | https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_dyldcache.md https://github.com/radareorg/radare2/issues/24661 https://github.com/radareorg/radare2/commit/e37e15d10fd8a19c3e57b3d7735a2cfe0082ec79 https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-002-radare2-nullptr-deref-bin_dyldcache.md |
| n/a–n/a | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data. | 2025-11-14 | not yet calculated | CVE-2025-63745 | https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_ne.md https://github.com/radareorg/radare2/issues/24660 https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-001-radare2-nullptr-deref-bin_ne.md |
| n/a–n/a | An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio. | 2025-11-12 | not yet calculated | CVE-2025-63811 | https://github.com/dvsekhvalnov/jose2go/issues/33 |
| n/a–n/a | CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | 2025-11-14 | not yet calculated | CVE-2025-63830 | https://ckeditor.com/ckfinder/changelog/ https://github.com/Shubham03007/CVE-2025-63830/blob/main/README.md |
| Tenda–AC18 v15.03.05.05 | A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router’s homepage. | 2025-11-10 | not yet calculated | CVE-2025-63834 | https://github.com/babraink/cve_report/blob/main/cve_report/tenda/tendaAC18/wifiset_ssid_xss/README.md |
| Tenda–AC18 v15.03.05.05 | A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can exploit this vulnerability by sending oversized data to the guestSsid parameter, leading to denial of service (device crash) or potential remote code execution. | 2025-11-10 | not yet calculated | CVE-2025-63835 | https://github.com/babraink/cve_report/blob/main/cve_report/tenda/tendaAC18/2_wifiguest_guestssid_overflow/README.md |
| n/a–n/a | Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql. | 2025-11-14 | not yet calculated | CVE-2025-63891 | http://simple.com http://sourcecodester.com https://github.com/lucascdsm/CVEs/blob/main/CVE-2025-63891.md |
| n/a–n/a | A heap-use-after-free vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08). During multi-threaded client execution, the function Iec10x_Scheduled can access memory that has already been freed, potentially causing program crashes or undefined behavior. This may be exploited to trigger a denial-of-service or memory corruption. | 2025-11-12 | not yet calculated | CVE-2025-63927 | https://github.com/airpig2011/IEC104/issues/20 https://songsong.host/mybugs/CVE-2025-63927.html |
| n/a–n/a | A null pointer dereference vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08). When multiple threads enqueue elements concurrently via IEC10X_PrioEnQueue, the function may dereference a null or freed queue pointer, resulting in a segmentation fault and potential denial-of-service. | 2025-11-12 | not yet calculated | CVE-2025-63929 | https://github.com/airpig2011/IEC104/issues/21 https://songsong.host/mybugs/CVE-2025-63929.html |
| n/a–n/a | An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authenticated attacker to execute arbitrary SQL commands by injecting a malicious payload, which is then concatenated directly into a raw SQL query in the vucc_qso_details function. | 2025-11-14 | not yet calculated | CVE-2025-64084 | https://github.com/magicbug/Cloudlog/commit/72a8c3d705c8629f60f64da9f37968417c980242 https://github.com/magicbug/Cloudlog/releases/tag/2.7.6 https://github.com/XY20130630/Cloudlog/security/advisories/GHSA-4r9r-3r3q-jg44 |
| OpenIdentityPlatform–OpenAM | Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the “claims_parameter_supported” parameter is activated, it is possible, thanks to the “oidc-claims-extension.groovy” script, to inject the value of one’s choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the “id_token” and “user_info” files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64099 | https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqc |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue. | 2025-11-10 | not yet calculated | CVE-2025-64181 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq https://github.com/user-attachments/files/23024726/archive0.zip https://github.com/user-attachments/files/23024736/archive1.zip https://github.com/user-attachments/files/23024740/archive2.zip https://github.com/user-attachments/files/23024744/archive3.zip https://github.com/user-attachments/files/23024746/archive4.zip |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue. | 2025-11-10 | not yet calculated | CVE-2025-64182 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue. | 2025-11-10 | not yet calculated | CVE-2025-64183 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115 |
| Jeroen Schmit–Theater for WordPress | Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8. | 2025-11-13 | not yet calculated | CVE-2025-64259 | https://vdp.patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-18-8-broken-access-control-vulnerability?_s_id=cve |
| codepeople–Appointment Booking Calendar | Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95. | 2025-11-13 | not yet calculated | CVE-2025-64261 | https://vdp.patchstack.com/database/Wordpress/Plugin/appointment-booking-calendar/vulnerability/wordpress-appointment-booking-calendar-plugin-1-3-95-broken-access-control-vulnerability?_s_id=cve |
| ramon fincken–Auto Prune Posts | Cross-Site Request Forgery (CSRF) vulnerability in ramon fincken Auto Prune Posts auto-prune-posts allows Cross Site Request Forgery.This issue affects Auto Prune Posts: from n/a through <= 3.0.0. | 2025-11-13 | not yet calculated | CVE-2025-64262 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-prune-posts/vulnerability/wordpress-auto-prune-posts-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| PluginEver–WP Content Pilot | Missing Authorization vulnerability in PluginEver WP Content Pilot wp-content-pilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Content Pilot: from n/a through <= 2.1.7. | 2025-11-13 | not yet calculated | CVE-2025-64263 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-content-pilot/vulnerability/wordpress-wp-content-pilot-plugin-2-1-7-broken-access-control-vulnerability?_s_id=cve |
| Aman–Popup addon for Ninja Forms | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows Stored XSS.This issue affects Popup addon for Ninja Forms: from n/a through <= 3.5.1. | 2025-11-13 | not yet calculated | CVE-2025-64264 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-addon-for-ninja-forms/vulnerability/wordpress-popup-addon-for-ninja-forms-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| N-Media–Frontend File Manager | Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.2. | 2025-11-13 | not yet calculated | CVE-2025-64265 | https://vdp.patchstack.com/database/Wordpress/Plugin/nmedia-user-file-uploader/vulnerability/wordpress-frontend-file-manager-plugin-23-2-broken-access-control-vulnerability-2?_s_id=cve |
| WPSwings–WooCommerce Ultimate Points And Rewards | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2. | 2025-11-13 | not yet calculated | CVE-2025-64267 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-ultimate-points-and-rewards/vulnerability/wordpress-woocommerce-ultimate-points-and-rewards-plugin-2-10-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| EDGARROJAS–WooCommerce PDF Invoice Builder | Missing Authorization vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoice Builder: from n/a through <= 1.2.150. | 2025-11-13 | not yet calculated | CVE-2025-64269 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-1-2-150-broken-access-control-vulnerability?_s_id=cve |
| HasThemes–WP Plugin Manager | Cross-Site Request Forgery (CSRF) vulnerability in HasThemes WP Plugin Manager wp-plugin-manager allows Cross Site Request Forgery.This issue affects WP Plugin Manager: from n/a through <= 1.4.7. | 2025-11-13 | not yet calculated | CVE-2025-64271 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-plugin-manager/vulnerability/wordpress-wp-plugin-manager-plugin-1-4-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpkoithemes–WPKoi Templates for Elementor | Missing Authorization vulnerability in wpkoithemes WPKoi Templates for Elementor wpkoi-templates-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPKoi Templates for Elementor: from n/a through <= 3.4.4. | 2025-11-13 | not yet calculated | CVE-2025-64274 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpkoi-templates-for-elementor/vulnerability/wordpress-wpkoi-templates-for-elementor-plugin-3-4-4-broken-access-control-vulnerability?_s_id=cve |
| wpdevelop–Booking Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.17. | 2025-11-13 | not yet calculated | CVE-2025-64275 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-manager/vulnerability/wordpress-booking-manager-plugin-2-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro–Survey Maker | Missing Authorization vulnerability in Ays Pro Survey Maker survey-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through <= 5.1.9.4. | 2025-11-13 | not yet calculated | CVE-2025-64276 | https://vdp.patchstack.com/database/Wordpress/Plugin/survey-maker/vulnerability/wordpress-survey-maker-plugin-5-1-9-4-broken-access-control-vulnerability?_s_id=cve |
| QuantumCloud–ChatBot | Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9. | 2025-11-13 | not yet calculated | CVE-2025-64277 | https://vdp.patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve |
| n/a–CentralSquare Community Development 19.5.7 | A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field. | 2025-11-12 | not yet calculated | CVE-2025-64280 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| n/a–CentralSquare Community Development 19.5.7 | An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials. | 2025-11-12 | not yet calculated | CVE-2025-64281 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| PascalBajorat–Analytics Germanized for Google Analytics | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PascalBajorat Analytics Germanized for Google Analytics ga-germanized allows DOM-Based XSS.This issue affects Analytics Germanized for Google Analytics: from n/a through <= 1.6.2. | 2025-11-13 | not yet calculated | CVE-2025-64292 | https://vdp.patchstack.com/database/Wordpress/Plugin/ga-germanized/vulnerability/wordpress-analytics-germanized-for-google-analytics-plugin-1-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| codepeople–Contact Form Email | Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58. | 2025-11-13 | not yet calculated | CVE-2025-64369 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-58-broken-access-control-vulnerability?_s_id=cve |
| YOP–YOP Poll | Missing Authorization vulnerability in YOP YOP Poll yop-poll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YOP Poll: from n/a through <= 6.5.38. | 2025-11-13 | not yet calculated | CVE-2025-64370 | https://vdp.patchstack.com/database/Wordpress/Plugin/yop-poll/vulnerability/wordpress-yop-poll-plugin-6-5-38-broken-access-control-vulnerability?_s_id=cve |
| Pluggabl–Booster for WooCommerce | Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0. | 2025-11-13 | not yet calculated | CVE-2025-64379 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-4-0-broken-access-control-vulnerability?_s_id=cve |
| Pluggabl–Booster for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Stored XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.3.2. | 2025-11-13 | not yet calculated | CVE-2025-64380 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpdevelop–Booking Calendar | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7. | 2025-11-13 | not yet calculated | CVE-2025-64381 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking/vulnerability/wordpress-booking-calendar-plugin-10-14-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebToffee–Order Export & Order Import for WooCommerce | Missing Authorization vulnerability in WebToffee Order Export & Order Import for WooCommerce order-import-export-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Export & Order Import for WooCommerce: from n/a through <= 2.6.7. | 2025-11-13 | not yet calculated | CVE-2025-64382 | https://vdp.patchstack.com/database/Wordpress/Plugin/order-import-export-for-woocommerce/vulnerability/wordpress-order-export-order-import-for-woocommerce-plugin-2-6-7-broken-access-control-vulnerability?_s_id=cve |
| Qode–Qi Blocks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Qode Qi Blocks qi-blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through <= 1.4.3. | 2025-11-13 | not yet calculated | CVE-2025-64383 | https://vdp.patchstack.com/database/Wordpress/Plugin/qi-blocks/vulnerability/wordpress-qi-blocks-plugin-1-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jetmonsters–JetFormBuilder | Missing Authorization vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetFormBuilder: from n/a through <= 3.5.3. | 2025-11-13 | not yet calculated | CVE-2025-64384 | https://vdp.patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used “floating frames” linked to external files would load the contents of those frames without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. The LibreOffice suite reported this issue as CVE-2023-2255 | 2025-11-12 | not yet calculated | CVE-2025-64401 | https://www.openoffice.org/security/cves/CVE-2025-64401.html https://lists.apache.org/thread/o00dtgvhr9tx8r4y8vf6y2mg7nn6mx6c |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used “OLE objects” linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64402 | https://www.openoffice.org/security/cves/CVE-2025-64402.html https://lists.apache.org/thread/tssrl88tygjsgk6csllm6p2fb6tlv8d8 |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of “external data sources”. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause such links to be loaded without prompt. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64403 | https://www.openoffice.org/security/cves/CVE-2025-64403.html https://lists.apache.org/thread/t7c6jhvdb00xtgd9vvn7h5sq9f4h5trt |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used background fill images, or bullet images, linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64404 | https://www.openoffice.org/security/cves/CVE-2025-64404.html https://lists.apache.org/thread/08n4mdx0pnhqsllnkc63d27sdgq3tygc |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64405 | https://www.openoffice.org/security/cves/CVE-2025-64405.html https://lists.apache.org/thread/0jjftxkcc4l9kt7jjn630hfrh2ygfcbk |
| Apache Software Foundation–Apache OpenOffice | An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64406 | https://www.openoffice.org/security/cves/CVE-2025-64406.html https://lists.apache.org/thread/py89gpogxfb2yo9c5vwv2h9x3m85pfmm |
| Apache Software Foundation–Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variables or configuration settings. In the affected versions of Apache OpenOffice, documents that used a certain URI scheme linking to external files would load the contents of such files without prompting the user for permission to do so. Such URI scheme allows to include system configuration data, that is not supposed to be transmitted externally. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. The LibreOffice suite reported this issue as CVE-2024-12426. | 2025-11-12 | not yet calculated | CVE-2025-64407 | https://www.openoffice.org/security/cves/CVE-2025-64407.html https://lists.apache.org/thread/4yg1gv71f14fw4ky4ds50o6xjq49594g |
| duckdb–duckdb | DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator (pcg32) to generate cryptographic keys or IVs. When clearing keys from memory, the compiler may remove the memset() and leave sensitive data on the heap. By modifying the database header, an attacker could downgrade the encryption mode from GCM to CTR to bypass integrity checks. There may be a failure to check return value on call to OpenSSL `rand_bytes()`. An attacker could use public IVs to compromise the internal state of RNG and determine the randomly generated key used to encrypt temporary files, get access to cryptographic keys if they have access to process memory (e.g. through memory leak),circumvent GCM integrity checks, and/or influence the OpenSSL random number generator and DuckDB would not be able to detect a failure of the generator. Version 1.4.2 has disabled the insecure random number generator by no longer using the fallback to write to or create databases. Instead, DuckDB will now attempt to install and load the OpenSSL implementation in the `httpfs` extension. DuckDB now uses secure MbedTLS primitive to clear memory as recommended and requires explicit specification of ciphers without integrity checks like CTR on `ATTACH`. Additionally, DuckDB now checks the return code. | 2025-11-12 | not yet calculated | CVE-2025-64429 | https://github.com/duckdb/duckdb/security/advisories/GHSA-vmp8-hg63-v2hp https://github.com/duckdb/duckdb/pull/17275 https://duckdb.org/2025/09/16/announcing-duckdb-140.html https://github.com/duckdb/duckdb/blob/029a5b87ff5b1cd22f7f9717d48cd8830d00807c/src/common/random_engine.cpp#L20 |
| Sony Network Communications Inc.–NCP-HG100/Cellular model | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges. | 2025-11-14 | not yet calculated | CVE-2025-64444 | https://support.sonynetwork.co.jp/faqsupport/manoma/web/knowledge11157.html https://jvn.jp/en/jp/JVN49899607/ |
| parse-community–parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments. | 2025-11-10 | not yet calculated | CVE-2025-64502 | https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq https://github.com/parse-community/parse-server/pull/9890 https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452 |
| lxc–incus | Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed. | 2025-11-10 | not yet calculated | CVE-2025-64507 | https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf https://github.com/lxc/incus/issues/2641 https://github.com/lxc/incus/pull/2642 |
| milvus-io–milvus | Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. This issue has been fixed in Milvus 2.4.24, 2.5.21, and 2.6.5. If immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass behavior. | 2025-11-10 | not yet calculated | CVE-2025-64513 | https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p https://github.com/milvus-io/milvus/pull/45379 https://github.com/milvus-io/milvus/pull/45383 https://github.com/milvus-io/milvus/pull/45391 |
| filebrowser–filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application’s share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users’ shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. Version 2.45.1 contains a fix for the issue. | 2025-11-12 | not yet calculated | CVE-2025-64523 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4 |
| authzed–spicedb | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `–write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `–write-relationships-max-updates-per-call` to `1000`. | 2025-11-10 | not yet calculated | CVE-2025-64529 | https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7 |
| frappe–lms | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL. | 2025-11-12 | not yet calculated | CVE-2025-64705 | https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8 |
| frappe–lms | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated. | 2025-11-12 | not yet calculated | CVE-2025-64707 | https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm |
| bitfoundation–bitplatform | Bitplatform Boilerplate is a Visual studio and .NET project template. Versions prior to 9.11.3 are affected by a cross-site scripting (XSS) vulnerability in the WebInteropApp/WebAppInterop, potentially allowing attackers to inject malicious scripts that compromise the security and integrity of web applications. Applications based on this Bitplatform Boilerplate might also be vulnerable. Version 9.11.3 fixes the issue. | 2025-11-13 | not yet calculated | CVE-2025-64710 | https://github.com/bitfoundation/bitplatform/security/advisories/GHSA-rv95-xj37-7c3w |
| TecharoHQ–anubis | Anubis is a Web AI Firewall Utility that challenges users’ connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a fix for the issue. | 2025-11-13 | not yet calculated | CVE-2025-64716 | https://github.com/TecharoHQ/anubis/security/advisories/GHSA-cf57-c578-7jvv https://github.com/TecharoHQ/anubis/commit/7ed1753fcced351c81961bf520a7bfb2caac6e88 https://pkg.go.dev/vuln/GO-2025-4086 |
| zitadel–zitadel | ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL’s federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform’s failure to correctly check or enforce an organization’s specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker’s external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization’s mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization’s login policy before auto-linking an external user. No known workarounds are available aside from upgrading. | 2025-11-13 | not yet calculated | CVE-2025-64717 | https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px https://github.com/zitadel/zitadel/releases/tag/v2.71.19 https://github.com/zitadel/zitadel/releases/tag/v3.4.4 https://github.com/zitadel/zitadel/releases/tag/v4.6.6 |
| SocketDev–firewall-release | Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious `.sfw.config` file in a project directory. When a developer runs Socket Firewall commands (e.g., `sfw npm install`) in that directory, the tool loads the `.sfw.config` file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting `NODE_OPTIONS` with a `–require` directive to execute malicious JavaScript code before Socket Firewall’s security controls are initialized, effectively bypassing the tool’s malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at `sfw –version` for version information. If users rely on the recommended installation mechanism (e.g. global installation via `npm install -g sfw`) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect `.sfw.config` and `.env.local` files for suspicious `NODE_OPTIONS` or other environment variable definitions that reference local files. | 2025-11-13 | not yet calculated | CVE-2025-64726 | https://github.com/SocketDev/firewall-release/security/advisories/GHSA-6c5p-vqrh-h6fp https://bsky.app/profile/evilpacket.net/post/3m4iylwxtns2t |
| jitsi–jitsi-meet | Jitsi Meet is an open source video conferencing application. A vulnerability present in versions prior to 2.0.10532 allows attackers to hijack the OAuth authentication window for Microsoft accounts. This is fixed in version 2.0.10532. No known workarounds are available. | 2025-11-13 | not yet calculated | CVE-2025-64754 | https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-5fx7-wgcr-fj78 |
| N-able–N-central | N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4. | 2025-11-12 | not yet calculated | CVE-2025-9316 | https://me.n-able.com/s/security-advisory/aArVy0000000rdpKAA/cve20259316-ncentral-unauthenticated-sessionid-generation |
| Google–Chrome | Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2025-9479 | |
| OpenSolution–QuickCMS | A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-14 | not yet calculated | CVE-2025-9982 | https://cert.pl/posts/2025/11/CVE-2025-9982 https://opensolution.org/cms-system-quick-cms.html |