High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web–10Web Booster Website speed optimization, Cache & Page Speed optimizer | The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition. | 2025-12-06 | 9.6 | CVE-2025-13377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer |
| Advantech–iView | Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. | 2025-12-04 | 7.5 | CVE-2025-13373 | https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183 https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json |
| aimeos–ai-cms-grapesjs | The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8. | 2025-12-02 | 7.7 | CVE-2025-66468 | https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042 |
| ajitdas–Flex QR Code Generator | The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-06 | 9.8 | CVE-2025-12673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d71404e-0db8-485b-a626-5e0df2076c05?source=cve https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L457 https://ryankozak.com/posts/cve-2025-12673/ https://github.com/d0n601/CVE-2025-12673 |
| Akamai–Guardicore Platform Agent | The GC-AGENTS-SERVICE running as part of Akamai’s Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerability. The service will attempt to read an OpenSSL configuration file from a non-existent location that standard Windows users have default write access to. This allows an unprivileged local user to create a crafted “openssl.cnf” file in that location and, by specifying the path to a custom DLL file in a custom OpenSSL engine definition, execute arbitrary commands with the privileges of the Guardicore Agent process. Since Guardicore Agent runs with SYSTEM privileges, this permits an unprivileged user to fully elevate privileges to SYSTEM level in this manner. | 2025-12-03 | 7.8 | CVE-2025-53841 | https://www.tuv.com/landingpage/en/vulnerability-disclosure/ https://techdocs.akamai.com/guardicore-platform-agent/changelog https://community.akamai.com/customers/s/article/Windows-Agent-Vulnerability-Summary-and-Resolution |
| Argus Technology Inc.–BILGER | Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9. | 2025-12-02 | 7.5 | CVE-2025-13295 | https://www.usom.gov.tr/bildirim/tr-25-0423 |
| Array Networks–ArrayOS AG | Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025. | 2025-12-05 | 7.2 | CVE-2025-66644 | https://www.jpcert.or.jp/at/2025/at250024.html https://x.com/ArraySupport/status/1921373397533032590 https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ |
| auth0–node-jws | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1. | 2025-12-04 | 7.5 | CVE-2025-65945 | https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e |
| Avast–Antivirus | Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3. | 2025-12-01 | 9 | CVE-2025-3500 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast–Antivirus | Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98. | 2025-12-01 | 9 | CVE-2025-8351 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast–Antivirus | Heap-based Buffer Overflow, Out-of-bounds Write vulnerability in Avast Antivirus on MacOS of a crafted Mach-O file may allow Local Execution of Code or Denial of Service of antivirus protection. This issue affects Antivirus: from 15.7 before 3.9.2025. | 2025-12-01 | 8.1 | CVE-2025-10101 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast–Antivirus | NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3. | 2025-12-01 | 7.5 | CVE-2025-7007 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| bacnet-stack–bacnet-stack | BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable. | 2025-12-05 | 7.5 | CVE-2025-66624 | https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48 |
| brainstormforce–Starter Templates AI-Powered Templates for Elementor & Gutenberg | The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-13065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/439e4c99-8f34-4e66-9d86-c0cbb8cf6da0?source=cve https://plugins.trac.wordpress.org/changeset/3395498/astra-sites/tags/4.4.42/inc/lib/starter-templates-importer/importer/wxr-importer/st-wxr-importer.php |
| brainstormforce–SureMail SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers | The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin’s save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration. | 2025-12-02 | 8.1 | CVE-2025-13516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3a20047-a325-4d29-a848-7ffa525d0bad?source=cve https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L231 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L113 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/admin/plugin.php#L407 https://cwe.mitre.org/data/definitions/434.html https://plugins.trac.wordpress.org/changeset/3403145/suremails/trunk?contextall=1&old=3389326&old_path=%2Fsuremails%2Ftrunk |
| Chanjet–CRM | A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14189 | VDB-334609 | Chanjet CRM jxf_dump_table_demo.php sql injection VDB-334609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699133 | chanjet CRM V1.0 SQL Injection https://github.com/hacker-routing/cve/issues/2 https://github.com/hacker-routing/cve/issues/2#issue-3646348225 |
| Chanjet–TPlus | A flaw has been found in Chanjet TPlus up to 20251121. Affected by this vulnerability is an unknown functionality of the file /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load. This manipulation of the argument currentAccId causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14190 | VDB-334610 | Chanjet TPlus sql injection VDB-334610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699144 | Chanjet Chanjet T+ V1.0 SQL Injection https://github.com/hacker-routing/Changjetong-T-/issues/1 https://github.com/hacker-routing/Changjetong-T-/issues/1#issue-3646765351 |
| coder–coder | Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4. | 2025-12-03 | 7.8 | CVE-2025-66411 | https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74 https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289 https://github.com/coder/coder/releases/tag/v2.26.5 https://github.com/coder/coder/releases/tag/v2.27.7 https://github.com/coder/coder/releases/tag/v2.28.4 |
| CODESYS–CODESYS Control RTE (SL) | An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition. | 2025-12-01 | 7.5 | CVE-2025-41738 | https://certvde.com/de/advisories/VDE-2025-100 |
| CODESYS–CODESYS Development System | An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | 2025-12-01 | 7.8 | CVE-2025-41700 | https://certvde.com/de/advisories/VDE-2025-101 |
| codisto–Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration Powered by Codisto | The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-04 | 7.2 | CVE-2025-11727 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4e3b796-af9a-4403-8d9a-1b56d7253b45?source=cve https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2101 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3063 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3248 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2117 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3249 |
| contentstudio–ContentStudio | The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12181 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b92b0a4-7ebf-43b3-837b-ad710e5e35ff?source=cve https://wordpress.org/plugins/contentstudio/ |
| Dell–CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2025-12-05 | 7 | CVE-2025-46603 | https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| DesignThemes–DesignThemes LMS | The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the ‘dtlms_register_user_front_end’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2025-12-02 | 9.8 | CVE-2025-13542 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve https://themeforest.net/item/egrad-education-wordpress-theme/42803015 |
| dripadmin–CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user’s email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability. | 2025-12-05 | 9.8 | CVE-2025-13313 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/ntzcrm-memberships.php#L42 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L12 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L63 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L795 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-dbquery.php#L287 |
| e4jvikwp–VikRentCar Car Rental Management System | The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘month’ parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 7.5 | CVE-2025-13724 | https://www.wordfence.com/threat-intel/vulnerabilities/id/724a2da0-e4e7-4868-a1ad-fce69a915981?source=cve https://plugins.trac.wordpress.org/browser/vikrentcar/trunk/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.4/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403439%40vikrentcar&new=3403439%40vikrentcar&sfp_email=&sfph_mail= |
| frappe–frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 7.1 | CVE-2025-66205 | https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9 https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66295 | https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66296 | https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66299 | https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using “Frontmatter” form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.5 | CVE-2025-66300 | https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions. | 2025-12-05 | 7.7 | CVE-2024-9183 | GitLab Issue #494478 HackerOne Bug Bounty Report #2707421 |
| H3C–Magic B0 | A weakness has been identified in H3C Magic B0 up to 100R002. This impacts the function EditWlanMacList of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 8.8 | CVE-2025-14015 | VDB-334256 | H3C Magic B0 aspForm EditWlanMacList buffer overflow VDB-334256 | CTI Indicators (IOB, IOC, IOA) Submit #694755 | New H3C Technologies Co., Ltd. Magic Bo Magic B0<=100R002 Buffer Overflow https://github.com/HungryGoogle/log_attack/blob/main/index2/2.md |
| H3C–Magic B1 | A weakness has been identified in H3C Magic B1 up to 100R004. The affected element is the function sub_44de0 of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14196 | VDB-334616 | H3C Magic B1 aspForm sub_44de0 buffer overflow VDB-334616 | CTI Indicators (IOB, IOC, IOA) Submit #699387 | H3C Magic B1 ≤100R004 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md#poc |
| hwk-fr–Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | 2025-12-03 | 9.8 | CVE-2025-13486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve https://plugins.trac.wordpress.org/changeset/3400134/acf-extended |
| IBM–Informix Dynamic Server | IBM Informix Dynamic Server 14.10 could allow a local user on the system to log into the Informix server as administrator without a password. | 2025-12-02 | 8.4 | CVE-2024-45675 | https://www.ibm.com/support/pages/node/7252704 |
| kapilduraphe–mcp-watch | MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL. | 2025-12-01 | 9.8 | CVE-2025-66401 | https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6 |
| kraftplugins–Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-13066 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers |
| Linksys–RE6500 | A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14133 | VDB-334522 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wireless_clientlist_setClientsName stack-based overflow VDB-334522 | CTI Indicators (IOB, IOC, IOA) Submit #697980 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md#poc https://www.linksys.com/ |
| Linksys–RE6500 | A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14134 | VDB-334523 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334523 | CTI Indicators (IOB, IOC, IOA) Submit #697981 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md#poc https://www.linksys.com/ |
| Linksys–RE6500 | A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14135 | VDB-334524 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wired_clientlist_setClientsName stack-based overflow VDB-334524 | CTI Indicators (IOB, IOC, IOA) Submit #697982 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md#poc https://www.linksys.com/ |
| Linksys–RE6500 | A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14136 | VDB-334525 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334525 | CTI Indicators (IOB, IOC, IOA) Submit #697983 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md#poc https://www.linksys.com/ |
| listingthemes–WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the “wdk_generate_auto_login_link” function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | 2025-12-03 | 10 | CVE-2025-13390 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/ https://github.com/d0n601/CVE-2025-13390 https://ryankozak.com/posts/cve-2025-13390/ |
| MasaCMS–MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 9.8 | CVE-2024-32641 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6 |
| MasaCMS–MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 8.8 | CVE-2024-32642 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8 https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960 |
| MasaCMS–MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 7.5 | CVE-2024-32643 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c |
| MAXHUB–Pivot client application | The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account. | 2025-12-04 | 7.5 | CVE-2025-53704 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json |
| Medtronic–CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 8.1 | CVE-2025-12995 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Meta–react-server-dom-webpack | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. | 2025-12-03 | 10 | CVE-2025-55182 | https://www.facebook.com/security/advisories/cve-2025-55182 https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components |
| Mirion Medical–EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection. | 2025-12-02 | 8.3 | CVE-2025-61940 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical–EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account ‘nmdbuser’ and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures. | 2025-12-02 | 8.3 | CVE-2025-62575 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical–EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data. | 2025-12-02 | 8.4 | CVE-2025-64298 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical–EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions’ installation directory paths by default have insecure file permissions, which in certain deployment scenarios can enable users on client workstations to modify the program executables and libraries. | 2025-12-02 | 8 | CVE-2025-64642 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical–EC2 Software NMIS BioDose | NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | 2025-12-02 | 7.3 | CVE-2025-64778 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| moderntribe–Auto Thumbnailer | The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12154 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve https://wordpress.org/plugins/auto-thumbnailer/ |
| moxi159753–Mogu Blog v2 | A security flaw has been discovered in moxi159753 Mogu Blog v2 up to 5.2. Impacted is the function LocalFileServiceImpl.uploadPictureByUrl of the file /file/uploadPicsByUrl. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13814 | VDB-333823 | moxi159753 Mogu Blog v2 uploadPicsByUrl LocalFileServiceImpl.uploadPictureByUrl server-side request forgery VDB-333823 | CTI Indicators (IOB, IOC, IOA) Submit #692105 | moxi159753 mogu_blog_v2 <=v5.2 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md#proof-of-concept |
| n/a–ABRT daemon | A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges. | 2025-12-03 | 8.8 | CVE-2025-12744 | https://access.redhat.com/security/cve/CVE-2025-12744 RHBZ#2412467 |
| n/a–Blood Bank Management System | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim’s browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63526 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63526.md |
| n/a–Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the remail and rpassword fields, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 10 | CVE-2025-63531 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63531.md |
| n/a–Blood Bank Management System 1.0 | An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. | 2025-12-01 | 9.6 | CVE-2025-63525 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63525.md |
| n/a–Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63532 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63532.md |
| n/a–Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63535 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63535.md |
| n/a–Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim’s browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63527 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63527.md |
| n/a–Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim’s browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63528 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63528.md |
| n/a–Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim’s browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63533 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63533.md |
| n/a–Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim’s browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63534 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63534.md |
| n/a–MediaCrush | A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header Handler. Such manipulation of the argument Host leads to improper neutralization of http headers for scripting syntax. The attack can be launched remotely. | 2025-12-01 | 7.3 | CVE-2025-13803 | VDB-333813 | MediaCrush Header paths.py http headers for scripting syntax VDB-333813 | CTI Indicators (IOB, IOC, IOA) Submit #691857 | MediaCrush 1.0 Improper Neutralization of HTTP Headers for Scripting Syntax https://github.com/lakshayyverma/CVE-Discovery/blob/main/mediacrush.md |
| n/a–PgBouncer | Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. | 2025-12-03 | 7.5 | CVE-2025-12819 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| NI–LabVIEW | There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in the NI System Web Server 2012 and prior versions. It was fixed in 2013. | 2025-12-04 | 7.5 | CVE-2025-12097 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/relative-path-traversal-vulnerability-in-ni-system-web-server.html |
| nutzam–NutzBoot | A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-01 | 7.3 | CVE-2025-13806 | VDB-333816 | nutzam NutzBoot Transaction API EthModule.java improper authorization VDB-333816 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692061 | NutzBoot project (Nutz community) NutzBoot (Web3j starter + demo module) NutzBoot 2.6.0-SNAPSHOT Improper Access Control (Unauthenticated transaction API) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md#vulnerability-details-and-poc |
| NVIDIA–TAO | NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure. | 2025-12-03 | 8.8 | CVE-2025-33208 | https://nvd.nist.gov/vuln/detail/CVE-2025-33208 https://www.cve.org/CVERecord?id=CVE-2025-33208 https://nvidia.custhelp.com/app/answers/detail/a_id/5730 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large payloads. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33201 | https://nvd.nist.gov/vuln/detail/CVE-2025-33201 https://www.cve.org/CVERecord?id=CVE-2025-33201 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33211 | https://nvd.nist.gov/vuln/detail/CVE-2025-33211 https://www.cve.org/CVERecord?id=CVE-2025-33211 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| open-webui–open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.5 | CVE-2025-65958 | https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685 https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774 |
| open-webui–open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI’s Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.7 | CVE-2025-65959 | https://github.com/open-webui/open-webui/security/advisories/GHSA-8wvc-869r-xfqf https://github.com/open-webui/open-webui/commit/03cc6ce8eb5c055115406e2304fbf7e3338b8dce |
| orionsec–orion-ops | A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile Handler. This manipulation of the argument ID causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13808 | VDB-333818 | orionsec orion-ops User Profile UserController.java update improper authorization VDB-333818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692068 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Authorization / Horizontal Privilege Escalation https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md#proof-of-concept |
| pickplugins–User Verification by PickPlugins | The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the “user_verification_form_wrap_process_otpLogin” function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. | 2025-12-05 | 9.8 | CVE-2025-12374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141 |
| Plesk–Plesk | WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs “Create and manage sites” with “Domains management” and “Subdomains management.” | 2025-12-03 | 7.8 | CVE-2025-66431 | https://docs.plesk.com/release-notes/obsidian/whats-new/ https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074 https://support.plesk.com/hc/en-us/articles/36494997377687–CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root |
| plugins360–All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-12966 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b03bca1-84e3-4220-b39b-69044c42e9f9?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery/trunk/admin/import-export.php |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng’s simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng’s internal state management. Upgrade to libpng 1.6.52 or later. | 2025-12-03 | 7.1 | CVE-2025-66293 | https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f https://github.com/pnggroup/libpng/issues/764 https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a |
| RashminDungrani–online-banking | A vulnerability was found in RashminDungrani online-banking up to 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. This affects an unknown part of the file /site/dist/auth_login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14192 | VDB-334612 | RashminDungrani online-banking auth_login.php sql injection VDB-334612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699237 | online-banking web 1 SQL Injection https://github.com/BrillBigbang/hole-gap/blob/main/online-banking-have-sql.docx |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. | 2025-12-04 | 8.8 | CVE-2025-66287 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-66287 RHBZ#2418857 https://webkitgtk.org/security/WSA-2025-0009.html |
| Red Hat–Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser. | 2025-12-03 | 7.4 | CVE-2025-13947 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-13947 RHBZ#2418576 |
| Red Hat–Red Hat JBoss Enterprise Application Platform 8 | A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. | 2025-12-03 | 7.5 | CVE-2024-3884 | RHSA-2025:22773 RHSA-2025:22775 RHSA-2025:22777 RHSA-2025:3990 RHSA-2025:3992 https://access.redhat.com/security/cve/CVE-2024-3884 RHBZ#2275287 |
| rommapp–romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | 7.6 | CVE-2025-65027 | https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx |
| rtowebsites–PostGallery | The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the ‘PostGalleryUploader’ class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-04 | 8.8 | CVE-2025-13543 | https://www.wordfence.com/threat-intel/vulnerabilities/id/13348eb5-5001-4ec4-bc6a-44795bbed203?source=cve https://plugins.trac.wordpress.org/browser/postgallery/tags/1.12.5/admin/PostGalleryUploader.php |
| Samsung Mobile–MotionPhoto | Improper access control in MPRemoteService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58481 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–MotionPhoto | Improper access control in MPLocalService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58482 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| shabti–Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. | 2025-12-03 | 9.8 | CVE-2025-13342 | https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve https://plugins.trac.wordpress.org/changeset/3400432/acf-frontend-form-element |
| sigstore–fulcio | Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function’s argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3. | 2025-12-04 | 7.5 | CVE-2025-66506 | https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a |
| sigstore–timestamp-authority | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function’s argument). This vulnerability is fixed in 2.0.3. | 2025-12-04 | 7.5 | CVE-2025-66564 | https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2024-48882 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2119 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48882—Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-17-43_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-23417 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2139 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417—Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-26858 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2152 https://www.socomec.fr/sites/default/files/2025-10/CVE-2025-26858—Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-38-44_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus TCP over port 502. | 2025-12-01 | 8.6 | CVE-2025-55221 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503. | 2025-12-01 | 8.6 | CVE-2025-55222 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2024-49572 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2118 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-49572—Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-12-08_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability. | 2025-12-01 | 7.5 | CVE-2024-53684 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2116 https://www.socomec.fr/sites/default/files/2025-10/CVE-2024-53684—Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-43-14_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2025-20085 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2138 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-20085—Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-14-39_English_0.pdf |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus TCP messages to port 502 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54848 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 502 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54849 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54850 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec–DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54851 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec–Easy Config System | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability. | 2025-12-01 | 7.3 | CVE-2024-45370 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2117 https://www.socomec.fr/sites/default/files/2025-11/CVE-2024-45370—ECS-2610—CVSS31_VULNERABILITIES_2025-11-19-09-45-29_English_PLURI_3.pdf |
| Splunk–Splunk Enterprise | In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20386 | https://advisory.splunk.com/advisories/SVD-2025-1205 |
| Splunk–Splunk Enterprise | In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20387 | https://advisory.splunk.com/advisories/SVD-2025-1206 |
| Sprecher Automation–SPRECON-E-C | Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance. | 2025-12-02 | 9.8 | CVE-2025-41742 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf |
| Sprecher Automation–SPRECON-E-C | Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity. | 2025-12-02 | 9.1 | CVE-2025-41744 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stellarwp–Kadence WooCommerce Email Designer | The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 7.2 | CVE-2025-13387 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e0cf512-f676-4f47-abaa-5198998376b7?source=cve https://plugins.trac.wordpress.org/changeset/3399955/kadence-woocommerce-email-designer |
| strimzi–strimzi-kafka-operator | Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | 2025-12-05 | 7.4 | CVE-2025-66623 | https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc |
| stylemix–Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable. | 2025-12-02 | 8.8 | CVE-2025-12529 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L513 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L262 |
| Sunbird–DCIM dcTrack | DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance’s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine. | 2025-12-04 | 7.2 | CVE-2025-66238 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| Synology–BeeDrive for desktop | Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54158 | Synology-SA-25:08 BeeDrive for desktop |
| Synology–BeeDrive for desktop | Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2025-54159 | Synology-SA-25:08 BeeDrive for desktop |
| Synology–BeeDrive for desktop | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54160 | Synology-SA-25:08 BeeDrive for desktop |
| Synology–DiskStation Manager (DSM) | Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. | 2025-12-04 | 9.6 | CVE-2024-45538 | Synology-SA-24:27 DSM |
| Synology–DiskStation Manager (DSM) | Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2024-45539 | Synology-SA-24:27 DSM |
| Synology–Synology Router Manager (SRM) | A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages. | 2025-12-04 | 7.2 | CVE-2025-29846 | Synology-SA-25:04 SRM |
| Syslifters–sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102. | 2025-12-04 | 7.3 | CVE-2025-66561 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-64vw-v5c4-mgvm |
| ThinkInAIXYZ–deepchat | DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. | 2025-12-03 | 9.7 | CVE-2025-66222 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7 |
| TOZED–ZLT M30S | A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14126 | VDB-334521 | TOZED ZLT M30S/ZLT M30S PRO Web hard-coded credentials VDB-334521 | CTI Indicators (IOB, IOC, TTP) Submit #697498 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Backdoor Credentials https://youtu.be/o8rfjSlpRxY |
| TrippWasTaken–PHP-Guitar-Shop | A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 7.3 | CVE-2025-14091 | VDB-334481 | TrippWasTaken PHP-Guitar-Shop Product Details product.php sql injection VDB-334481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696514 | PHP-Guitar-Shop web 1 SQL Injection https://github.com/appaxv/report/blob/main/guitarshopsql.docx |
| trustindex–Widgets for Google Reviews | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site. | 2025-12-06 | 7.2 | CVE-2025-12510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7adf3335-ed13-43f4-a5f3-05e89be44d2d?source=cve https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5932 https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5907 https://plugins.trac.wordpress.org/changeset/3399469/wp-reviews-plugin-for-google/trunk/trustindex-plugin.class.php?old=3398822&old_path=wp-reviews-plugin-for-google%2Ftrunk%2Ftrustindex-plugin.class.php |
| tsaiid–Featured Image via URL | The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12153 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve https://wordpress.org/plugins/featured-image-via-url/ |
| Ubuntu–MAAS | An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment. | 2025-12-03 | 7.7 | CVE-2025-7044 | https://bugs.launchpad.net/maas/+bug/2115714 |
| UGREEN–DH2100+ | A weakness has been identified in UGREEN DH2100+ up to 5.3.0.251125. This affects the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. Executing manipulation of the argument path can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14187 | VDB-334607 | UGREEN DH2100+ nas_svr create handler_file_backup_create buffer overflow VDB-334607 | CTI Indicators (IOB, IOC, IOA) Submit #698652 | UGREEN DH2100+ NAS V4.2.0.601 Buffer Overflow https://www.notion.so/2b16cf4e528a80bbb5fdeff145f110ec |
| UGREEN–DH2100+ | A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14188 | VDB-334608 | UGREEN DH2100+ nas_svr create handler_file_backup_create command injection VDB-334608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698833 | UGREEN DH2100+ NAS V4.2.0.601 Remote Command Execution https://www.notion.so/25e2b76e8e0c80578014fff04a950576 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11131 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11132 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11133 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In dpc modem, there is a possible system crash due to null pointer dereference. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-3012 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61607 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61608 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61609 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61610 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61617 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61618 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.–T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61619 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| UTT– 512W | A vulnerability has been found in UTT è¿›å– 512W up to 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formP2PLimitConfig. Such manipulation of the argument except leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14191 | VDB-334611 | UTT è¿›å– 512W formP2PLimitConfig strcpy buffer overflow VDB-334611 | CTI Indicators (IOB, IOC, IOA) Submit #699220 | UTT艾泰 è¿›å– 512W Router <=v3v1.7.7-171114 Buffer Overflow https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md#poc |
| UTT– 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14141 | VDB-334529 | UTT è¿›å– 520W formArpBindConfig strcpy buffer overflow VDB-334529 | CTI Indicators (IOB, IOC, IOA) Submit #698522 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/13.md https://github.com/cymiao1978/cve/blob/main/new/13.md#poc |
| vim–vim | Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947. | 2025-12-02 | 7.8 | CVE-2025-66476 | https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25 https://github.com/vim/vim/releases/tag/v9.1.1947 |
| vinoth06–User Generator and Importer | The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the “Import Using CSV File” function. This makes it possible for unauthenticated attackers to elevate user privileges by creating arbitrary accounts with administrator privileges via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 8.8 | CVE-2025-12879 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82699a17-ea45-4493-98c4-07f62ca0b1f9?source=cve https://plugins.trac.wordpress.org/browser/user-importer-and-generator/tags/1.2.2/user-generator.php#L145 |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(…) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1. | 2025-12-01 | 7.1 | CVE-2025-66448 | https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm https://github.com/vllm-project/vllm/pull/28126 https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 |
| widgetpack–Rich Shortcodes for Google Reviews | The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2. | 2025-12-06 | 7.2 | CVE-2025-12499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2960224-4446-4fc6-8d18-6f9911b4cbad?source=cve https://plugins.trac.wordpress.org/changeset/3411521/widget-google-reviews https://plugins.trac.wordpress.org/changeset/3389203/widget-google-reviews |
| wpchill–Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘ajax_unzip_file’ function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-12-03 | 7.2 | CVE-2025-13645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/080683bb-713f-4aa8-b635-90c96f358bec?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1025 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1119 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wpchill–Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘ajax_unzip_file’ function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site’s server which may make remote code execution possible. | 2025-12-03 | 7.5 | CVE-2025-13646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59ee0ca2-846d-4ae8-ad19-7c3826861aeb?source=cve https://github.com/WPChill/modula-lite/blob/master/includes/admin/class-modula-gallery-upload.php#L1103 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wphocus–My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the ‘controller’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | 2025-12-05 | 8.1 | CVE-2025-12851 | https://www.wordfence.com/threat-intel/vulnerabilities/id/202a8493-6df0-4a5e-b6bf-099219830e01?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wphocus–My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-05 | 7.5 | CVE-2025-12850 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc4883b8-5783-49ff-ab3b-c568c9923227?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wpkube–Cool Tag Cloud | The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘cool_tag_cloud’ shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 8.1 | CVE-2025-13614 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac56190-4f81-464d-9737-ae2e3d4b0d0d?source=cve http://plugins.trac.wordpress.org/browser/cool-tag-cloud/trunk/cool-tag-cloud.php?marks=798-799#L682 |
| xwikisas–xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1. | 2025-12-05 | 8.3 | CVE-2025-65036 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0. | 2025-12-05 | 10 | CVE-2025-66570 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xm2j-vfr9-mg9m https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| ZDoom–gzdoom | GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution. | 2025-12-03 | 7.8 | CVE-2025-54065 | https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg |
| ZSPACE–Q2C NAS | A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14106 | VDB-334488 | ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection VDB-334488 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697141 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80bab847dcc1fb677590 |
| ZSPACE–Q2C NAS | A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14107 | VDB-334489 | ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection VDB-334489 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697143 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc |
| ZSPACE–Q2C NAS | A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14108 | VDB-334490 | ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection VDB-334490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697144 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80258f60fa529c48d291 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| adreastrian–WP Social Ninja Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) | The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page. | 2025-12-02 | 6.1 | CVE-2025-13007 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= |
| ADSLR–B-QE2W401 | A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13797 | VDB-333808 | ADSLR B-QE2W401 send_order.cgi parameterdel_swifimac command injection VDB-333808 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691838 | Adslr B-QE2W401 250814-r037c Remote code execution https://www.notion.so/2a60c75766a88027a6aec07b378332a8 |
| ADSLR–NBR1005GPEV2 | A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13798 | VDB-333809 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_add command injection VDB-333809 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691841 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8805a8973d2ff6a6bcb26 |
| ADSLR–NBR1005GPEV2 | A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13799 | VDB-333810 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_del command injection VDB-333810 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691842 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8801e8e4bdd3be8072d9d |
| ADSLR–NBR1005GPEV2 | A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13800 | VDB-333811 | ADSLR NBR1005GPEV2 send_order.cgi set_mesh_disconnect command injection VDB-333811 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691942 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a70c75766a88023aa0ed833ff0239e1 |
| alexkar–ARK Related Posts | The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin’s configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109 https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109 |
| AMTT–Hotel Broadband Operation System | A security flaw has been discovered in AMTT Hotel Broadband Operation System 1.0. This affects an unknown part of the file /manager/card/cardmake_down.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14090 | VDB-334480 | AMTT Hotel Broadband Operation System cardmake_down.php sql injection VDB-334480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696460 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/CHENZHUANGLIN/cve/issues/2 |
| anastis–CSSIgniter Shortcodes | The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘element’ shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288419ad-fbb2-4a4a-8a40-89ae024e068d?source=cve https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/trunk/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/tags/2.4.1/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408092%40cssigniter-shortcodes&new=3408092%40cssigniter-shortcodes&sfp_email=&sfph_mail= |
| apptainer–apptainer | Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used –security option, in particular the forms –security=apparmor:<profile> and –security=selinux:<label> which otherwise put restrictions on operations that containers can do. The –security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5. | 2025-12-02 | 4.5 | CVE-2025-65105 | https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/apptainer/apptainer/pull/3226 https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981 https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2 |
| ArcadeAI–arcade-mcp | Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret (“dev”) that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints-including tool enumeration and tool invocation-without credentials. This vulnerability is fixed in 1.5.4. | 2025-12-02 | 6.5 | CVE-2025-66454 | https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37×6-6438 https://github.com/ArcadeAI/arcade-mcp/pull/691 https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817 |
| arnabkumar–Cute News Ticker | The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘color’ shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/92f53507-4475-401b-b57c-f6652a868be9?source=cve https://wordpress.org/plugins/cute-news-ticker/ https://plugins.trac.wordpress.org/browser/cute-news-ticker/trunk/main-function.php#L60 https://plugins.trac.wordpress.org/browser/cute-news-ticker/tags/1.0/main-function.php#L60 |
| ays-pro–Photo Gallery by Ays Responsive Image Gallery | The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the ‘process_bulk_action()’ function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13685 | https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php |
| beaverbuilder–Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the ‘fl-controls/v1’ namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide. | 2025-12-02 | 4.3 | CVE-2025-11726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail= |
| beaverbuilder–Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user’s authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages. | 2025-12-04 | 4.3 | CVE-2025-12782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/710ed734-ca98-4ab3-82d5-359e683ee062?source=cve https://plugins.trac.wordpress.org/changeset/3406987/beaver-builder-lite-version |
| bigmaster–Payaza | The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_nopriv_update_order_status’ AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses. | 2025-12-05 | 5.3 | CVE-2025-12355 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acc88688-76e0-4477-8b7c-eeff541881ab?source=cve https://wordpress.org/plugins/payaza/ |
| breadbutter–Bread & Butter: Gate content & Improve lead conversion in 60 seconds | The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb280004-e0ba-44c8-a205-8fec30900d86?source=cve https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Ajax.php#L411 https://github.com/d0n601/CVE-2025-12189 https://ryankozak.com/posts/cve-2025-12189/ |
| cgrymala–List Attachments Shortcode | The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘before_list’ parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a67b4ec2-b337-478f-aaaa-2ce19c4deb4c?source=cve https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L47 https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L85 |
| CKSource–CKFinder | In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided. | 2025-12-05 | 5 | CVE-2016-20023 | https://download.cksource.com/CKFinder/CKFinder%20for%20ASP.NET/2.5.0.1/ |
| code-projects–Employee Profile Management System | A vulnerability was determined in code-projects Employee Profile Management System 1.0. This vulnerability affects unknown code of the file /view_personnel.php. Executing manipulation of the argument per_id can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-07 | 6.3 | CVE-2025-14193 | VDB-334613 | code-projects Employee Profile Management System view_personnel.php sql injection VDB-334613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699245 | code-projects Employee Profile Management System published November 15, 2025 SQL Injection https://github.com/shenxianyuguitian/employee-management-SQL https://code-projects.org/ |
| code-projects–Employee Profile Management System | A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-07 | 6.3 | CVE-2025-14195 | VDB-334615 | code-projects Employee Profile Management System add_file_query.php unrestricted upload VDB-334615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699247 | code-projects Employee Profile Management System published November 15, 2025 Unrestricted Upload https://github.com/shenxianyuguitian/employee-management-UFU https://code-projects.org/ |
| code-projects–Question Paper Generator | A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-12-07 | 6.3 | CVE-2025-14203 | VDB-334646 | code-projects Question Paper Generator selectquestionuser.php sql injection VDB-334646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700153 | code-projects Question Paper 1.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL17.md https://code-projects.org/ |
| codeconfig–CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action. | 2025-12-06 | 5.3 | CVE-2025-13358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad91-072a6e84d9ba?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax.php#L24 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L24 |
| codeconfig–CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin’s global accessibility settings. | 2025-12-06 | 4.3 | CVE-2025-13309 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3344e72-1dd6-45ec-b699-d755589a1566?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L23 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L19 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Enqueue.php#L135 |
| codejunkie–Clik stats | The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-04 | 6.1 | CVE-2025-13513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a047313-fdbc-47fa-912a-a624033bbce1?source=cve https://plugins.trac.wordpress.org/browser/clikstats/trunk/ck_admin.php#L47 https://plugins.trac.wordpress.org/browser/clikstats/tags/0.8/ck_admin.php#L47 |
| CODESYS–CODESYS PLCHandler | An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service. | 2025-12-01 | 5.9 | CVE-2025-41739 | https://certvde.com/de/advisories/VDE-2025-099 |
| contentstudio–ContentStudio | The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/047fd07c-ab07-49bf-8a94-8ae33c92f93e?source=cve https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L380 https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L383 |
| d3395–CryptX | The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `cryptx` shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f8cb7d7-eb40-403e-85de-c16200ee424d?source=cve https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L149 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L237 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L604 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L1295 |
| danrajkumar–Nouri.sh Newsletter | The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13515 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f0587e-1f84-472c-8fb7-13ddda63e2ec?source=cve https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/trunk/templates/options.phtml#L7 https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/tags/v1.0.13/templates/options.phtml#L7 |
| Datateam Information Technologies Inc.–Datactive | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | 2025-12-02 | 4.8 | CVE-2025-13505 | https://www.usom.gov.tr/bildirim/tr-25-0424 |
| dayrui–XunRuiCMS | A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14004 | VDB-334246 | dayrui XunRuiCMS Email Setting admind45f74adbd95.php server-side request forgery VDB-334246 | CTI Indicators (IOB, IOC, IOA) Submit #692907 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-email_test-SSRF/xunruicms-email_test-SSRF.md |
| dayrui–XunRuiCMS | A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14008 | VDB-334250 | dayrui XunRuiCMS Project Domain Change Test admin79f2ec220c7e.php server-side request forgery VDB-334250 | CTI Indicators (IOB, IOC, IOA) Submit #692915 | Sichuan Xunrui Cloud Software Development Co., Ltd x <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-test_site_domain-SSRF/xunruicms-test_site_domain-SSRF.md |
| delabon–Live Sales Notification for Woocommerce Woomotiv | The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘woomotiv_limit’ parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve https://wordpress.org/plugins/woomotiv/ |
| devsoftbaltic–SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13140 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d96ea1b-1763-4a54-bd67-ac29175e9e01?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/delete_survey.php#L12 https://plugins.trac.wordpress.org/changeset/3403869/surveyjs/trunk/ajax_handlers/delete_survey.php |
| dojodigital–Live CSS Preview | The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_frontend_save’ AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin’s css setting. | 2025-12-05 | 4.3 | CVE-2025-12354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve https://wordpress.org/plugins/live-css-preview/ |
| dripadmin–CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the ‘ntzcrm_add_new_tag’ function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators. | 2025-12-05 | 5.3 | CVE-2025-13312 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f61b9de5-5c37-4efb-ad1c-006e9fc05bc2?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L828 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L14 |
| duddi–Image Optimizer by wps.sk | The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12190 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php |
| Edimax–BR-6478AC V3 | A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14092 | VDB-334482 | Edimax BR-6478AC V3 formDebugDiagnosticRun sub_416898 os command injection VDB-334482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696632 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md |
| Edimax–BR-6478AC V3 | A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14093 | VDB-334483 | Edimax BR-6478AC V3 formTracerouteDiagnosticRun sub_416990 os command injection VDB-334483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696633 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/2.md |
| Edimax–BR-6478AC V3 | A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14094 | VDB-334484 | Edimax BR-6478AC V3 formSysCmd sub_44CCE4 os command injection VDB-334484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696668 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md |
| elextensions–ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited “Reply Tickets” permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data. | 2025-12-02 | 6.3 | CVE-2025-13534 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3541794b-7c8a-42f8-9688-7f3dbbb08e58?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.2/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121 |
| emaude–Canadian Nutrition Facts Label | The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘percentage’ field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12715 | https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557 |
| envoyproxy–envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token’s JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback’s reset() then clears the second fetch’s state (receiver_ and request_) which causes a crash when the async HTTP response arrives. | 2025-12-03 | 6.5 | CVE-2025-64527 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866 |
| envoyproxy–envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (�) inside an OTHERNAME SAN value as valid matches. | 2025-12-03 | 5 | CVE-2025-66220 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p |
| error311–FileRise | FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3. | 2025-12-01 | 4.6 | CVE-2025-66403 | https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29 https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e |
| everestthemes–Everest Backup WordPress Cloud Backup, Migration, Restore & Cloning Plugin | The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress. | 2025-12-03 | 5.3 | CVE-2025-10304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400800%40everest-backup&new=3400800%40everest-backup&sfp_email=&sfph_mail= |
| Facebook–proxygen | Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory. | 2025-12-02 | 5.3 | CVE-2025-55181 | https://www.facebook.com/security/advisories/cve-2025-55181 https://github.com/facebook/proxygen/commit/17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f |
| fit2cloud–Halo | A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 4.3 | CVE-2025-14117 | VDB-334494 | fit2cloud Halo cross-site request forgery VDB-334494 | CTI Indicators (IOB, IOC) Submit #697391 | fit2cloud Halo 2.21.10 Cross-Site Request Forgery https://blksword.flowus.cn/ https://github.com/BlkSword/POC |
| floragunn–Search Guard FLX | In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges. | 2025-12-01 | 4.3 | CVE-2025-13653 | https://search-guard.com/cve-advisory/ https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_1 |
| Flux159–mcp-server-kubernetes | MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8. | 2025-12-03 | 6.4 | CVE-2025-66404 | https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b |
| Fortra–GoAnywhere MFT | An Improper Access Control in the SFTP service in Fortra’s GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key. | 2025-12-05 | 4.2 | CVE-2025-8148 | https://www.fortra.com/security/advisories/product-security/fi-2025-013 |
| frappe–frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 6.8 | CVE-2025-66206 | https://github.com/frappe/frappe/security/advisories/GHSA-v4wg-gqfr-rpjm |
| garidium–g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products. | 2025-12-06 | 5.3 | CVE-2025-12720 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634 https://github.com/d0n601/CVE-2025-12720 https://ryankozak.com/posts/cve-2025-12720/ |
| garidium–g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server. | 2025-12-06 | 5.3 | CVE-2025-12721 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fd8c981-081c-4671-ad1e-3caf004669dd?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-sync-endpoint.php#L1385 https://github.com/d0n601/CVE-2025-12721 https://ryankozak.com/posts/cve-2025-12721/ |
| georgestephanis–Application Passwords | The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘reject_url’ parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the “No, I do not approve of this connection” button, granted they can successfully trick the victim into performing an action such as clicking on a link. | 2025-12-06 | 5.4 | CVE-2025-13308 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.8 | CVE-2025-66302 | https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.2 | CVE-2025-66304 | https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The “Forgot Password” functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | 6.5 | CVE-2025-66307 | https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.9 | CVE-2025-66303 | https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.3 | CVE-2025-66306 | https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62 |
| HCL Software–BigFix SaaS Remediate | The BigFix SaaS’s HTTP responses were missing some security headers. The absence of these headers weakens the application’s client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. | 2025-12-02 | 5.4 | CVE-2025-52622 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127171 |
| helloprint–Plug your WooCommerce into the largest catalog of customized print products from Helloprint | The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID. | 2025-12-06 | 5.3 | CVE-2025-13666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48 https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48 |
| Himool–ERP | A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14089 | VDB-334479 | Himool ERP AdminActionViewSet update_account improper authorization VDB-334479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696049 | https://gitee.com/himool/erp Himool ERP 2.2 Missing Authentication for Critical Function https://github.com/caigo8/CVE-md/blob/main/BoxwoodERP/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md |
| huyme–Webcake Landing Page Builder | The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘webcake_save_config’ AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin’s settings. | 2025-12-05 | 4.3 | CVE-2025-12165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve https://wordpress.org/plugins/webcake/ |
| instantsearchplus–Search, Filters & Merchandising for WooCommerce | The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wcis_save_email’ endpoint in all versions up to, and including, 3.0.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin. | 2025-12-06 | 4.3 | CVE-2025-12091 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daa8f941-6e87-4b94-8526-f73770fe6f82?source=cve https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/tags/3.0.64/public/wcis_plugin.php#L1074 https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/trunk/public/wcis_plugin.php#L1074 |
| jairiidriss–RestaurantWebsite | A vulnerability was determined in jairiidriss RestaurantWebsite up to e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. Impacted is an unknown function of the component Make a Reservation. This manipulation of the argument selected_date causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13802 | VDB-333812 | jairiidriss RestaurantWebsite Make a Reservation cross site scripting VDB-333812 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691839 | restaurant-website-php-mysql-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/restaurant-website-report.docx |
| jevgenisultanov–Norby AI | The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc6f6e2-6777-4056-95d0-e3d3e7ad7a22?source=cve https://plugins.trac.wordpress.org/browser/norby-ai/trunk/api/save.php#L23 https://plugins.trac.wordpress.org/browser/norby-ai/tags/1.0.3/api/save.php#L23 |
| jiangxin–CoSign Single Signon | The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bbeab52-59a9-4d8d-8e3e-ebcbbca9816b?source=cve https://plugins.trac.wordpress.org/browser/cosign-sso/trunk/cosign-sso.php#L423 https://plugins.trac.wordpress.org/browser/cosign-sso/tags/0.3.1/cosign-sso.php#L423 |
| jimmyredline80–SSP Debug | The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. | 2025-12-05 | 5.3 | CVE-2025-13494 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66f29499-1522-43cd-af78-9b734c66af8c?source=cve https://plugins.trac.wordpress.org/browser/ssp-debugging/trunk/ssp-debug.php#L221 https://plugins.trac.wordpress.org/browser/ssp-debugging/tags/1.0.0/ssp-debug.php#L221 |
| jsnjfz–WebStack-Guns | A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13811 | VDB-333821 | jsnjfz WebStack-Guns PageFactory.java sql injection VDB-333821 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692084 | WebStack-Guns Project WebStack-Guns 1.0 SQL Injection https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md#proof-of-concept |
| jsnjfz–WebStack-Guns | A vulnerability was found in jsnjfz WebStack-Guns 1.0. This affects the function renderPicture of the file src/main/java/com/jsnjfz/manage/modular/system/controller/KaptchaController.java. Performing manipulation results in path traversal. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.3 | CVE-2025-13810 | VDB-333820 | jsnjfz WebStack-Guns KaptchaController.java renderPicture path traversal VDB-333820 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692080 | WebStack-Guns Project (GitHub organization jsnjfz) WebStack-Guns 1.0 (latest master) Path Traversal / Arbitrary File Read (CWE-22) https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md#proof-of-concept |
| kaushikankrani–Hide Categories Or Products On Shop Page | The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12128 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/ |
| KDE–KDE Connect information-exchange protocol | In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.3 | CVE-2025-32900 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-2.txt |
| KDE–KDE Connect protocol | The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49. | 2025-12-05 | 4.7 | CVE-2025-66270 | https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://kde.org/info/security/advisory-20251128-1.txt |
| KDE–KDE Connect verification-code protocol | The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.7 | CVE-2025-32898 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-3.txt |
| KDE–KDEConnect | In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP. | 2025-12-05 | 4.3 | CVE-2025-32899 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-1.txt |
| KDE–KDEConnect | In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | 2025-12-05 | 4.3 | CVE-2025-32901 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-4.txt |
| ketr–JEPaaS | A vulnerability was determined in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is an unknown functionality of the file /je/load. This manipulation of the argument Authorization causes improper authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-05 | 6.3 | CVE-2025-14088 | VDB-334478 | ketr JEPaaS load improper authorization VDB-334478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695316 | Beijing Kaite Weiye Science and Technology Co.,Ltd. JEPaaS JEPaaSV7.2.8 vertical privilege escalation vulnerability https://github.com/zhangbuneng/The-Jepaas-platform-has-a-vertical-privilege-escalation-vulnerability./issues/1 |
| kevindees–FitVids for WordPress | The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12124 | https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve https://wordpress.org/plugins/fitvids-for-wordpress/ |
| krupenik–RevInsite | The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13863 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25 https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25 |
| ksakai–Yet Another WebClap for WordPress | The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘text’ parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13857 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca50e5e7-be46-40f1-9782-a72ca8ab7e9a?source=cve https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/trunk/yawebclap.php#L28 https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/tags/0.2/yawebclap.php#L28 |
| LINE Corporation–Central Dogma | Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft. | 2025-12-04 | 6.1 | CVE-2025-11222 | https://github.com/line/centraldogma/security/advisories/GHSA-4hr2-xf7w-jf76 |
| linkwhspr–Link Whisper Free | The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-11263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php |
| listingthemes–WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 4.9 | CVE-2025-13090 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fbf502-2dfb-49e5-94a6-1525aabc08c1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405484%40wpdirectorykit&new=3405484%40wpdirectorykit&sfp_email=&sfph_mail= |
| macrozheng–mall-swarm | A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 5.4 | CVE-2025-14016 | VDB-334257 | macrozheng mall-swarm delete improper authorization VDB-334257 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694797 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/17 |
| Mattermost–Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | 2025-12-01 | 4.3 | CVE-2025-12756 | https://mattermost.com/security-updates |
| Medtronic–CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 5.3 | CVE-2025-12994 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Medtronic–CareLink Network | Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 4.1 | CVE-2025-12996 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| michael_j_reid–Weekly Planner | The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12186 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1cd2d269-5af2-40ab-b424-505c95c56688?source=cve https://wordpress.org/plugins/weekly-planner/#description |
| michaelcole1991–Extra Post Images | The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101 |
| Microsoft–Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network. | 2025-12-05 | 4.3 | CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
| MiR–Robot | Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks. | 2025-12-01 | 6.1 | CVE-2025-13819 | https://mobile-industrial-robots.com/security-advisories/cve-2025-13819-open-redirect https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/ |
| missi–Jabbernotification | The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13622 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e9a872d-575c-455c-8f26-709878817ae0?source=cve https://wordpress.org/plugins/jabberbenachrichtigung/ https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/tags/0.99-RC2/jabbernotification.php#L85 https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/trunk/jabbernotification.php#L85 |
| monkeyboz–Quantic Social Image Hover | The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43a237fd-5d3a-47fb-bacf-ceb5eeaa8bbb?source=cve https://plugins.trac.wordpress.org/browser/tw-image-hover-share/trunk/tw-image-hover.php#L103 https://plugins.trac.wordpress.org/browser/tw-image-hover-share/tags/1.0.8/tw-image-hover.php#L103 |
| moxi159753–Mogu Blog v2 | A weakness has been identified in moxi159753 Mogu Blog v2 up to 5.2. The affected element is an unknown function of the file /file/pictures. This manipulation of the argument filedatas causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13815 | VDB-333824 | moxi159753 Mogu Blog v2 pictures unrestricted upload VDB-333824 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692106 | moxi159753 mogu_blog_v2 <=v5.2 Unrestricted Upload of File with Dangerous Type https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md#proof-of-concept |
| moxi159753–Mogu Blog v2 | A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13816 | VDB-333825 | moxi159753 Mogu Blog v2 ZIP File unzipFile FileOperation.unzip path traversal VDB-333825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692107 | moxi159753 mogu_blog_v2 <=v5.2 Path Traversal / Zip Slip https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md#proof-of-concept |
| moxi159753–Mogu Blog v2 | A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack’s complexity is rated as high. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.6 | CVE-2025-13813 | VDB-333822 | moxi159753 Mogu Blog v2 Storage Management Endpoint storage authorization VDB-333822 | CTI Indicators (IOB, IOC, IOA) Submit #692104 | moxi159753 mogu_blog_v2 <=v5.2 Broken Access Control / Missing Authorization https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md#proof-of-concept |
| mrdenny–Time Sheets | The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-10055 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d8b57de-d02c-40c0-abdb-ff490bcf429e?source=cve https://wordpress.org/plugins/time-sheets/ |
| mxchat–MxChat AI Chatbot for WordPress | The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data. | 2025-12-03 | 5.3 | CVE-2025-12585 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cf1a90d-6157-40e7-aed8-4d18bc22432d?source=cve https://plugins.trac.wordpress.org/browser/mxchat-basic/trunk/includes/class-mxchat-integrator.php#L107 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406402%40mxchat-basic&new=3406402%40mxchat-basic&sfp_email=&sfph_mail= |
| n/a–Blood Bank Management System 1.0 | A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user’s session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim’s account. | 2025-12-01 | 6.1 | CVE-2025-63529 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md |
| n/a–JIZHICMS | A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14011 | VDB-334252 | JIZHICMS Add Display Name Field addcomment.html commentlist sql injection VDB-334252 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694644 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection Submit #694645 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection (Duplicate) https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-addcomment.html-aid%20parameter-SQL%20injection/jizhicms-addcomment.html-aid%20parameter-SQL%20injection.md |
| n/a–JIZHICMS | A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14012 | VDB-334253 | JIZHICMS Batch Delete Comments deleteAll.html delete sql injection VDB-334253 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694647 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection.md |
| n/a–KerOS prior to 5.12 | Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected. | 2025-12-01 | 5.3 | CVE-2024-32388 | https://www.bdosecurity.de/en-gb/advisories/cve-2024-32388 https://keros.docs.kerlink.com/security/security_advisories_kerOS5 |
| n/a–KerOS prior to version 5.10 | Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device. | 2025-12-01 | 6.8 | CVE-2024-32384 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-32384 |
| n/a–nocobase | A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobasepackagescoreauthsrcbasejwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.6 | CVE-2025-13877 | VDB-334033 | nocobase JWT Service jwt-service.ts hard-coded key VDB-334033 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692205 | https://github.com/nocobase https://github.com/nocobase/nocobase Latest Authorization Bypass https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d |
| natambu–Twitscription | The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13623 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6e7756-d8cc-4380-a93e-47d7916a5f7b?source=cve https://wordpress.org/plugins/twitscription/ https://plugins.trac.wordpress.org/browser/twitscription/tags/0.1.1/twitscription.php#L101 https://plugins.trac.wordpress.org/browser/twitscription/trunk/twitscription.php#L101 |
| nedwp–Feedback Modal for Website | The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘handle_export’ function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the ‘export_data’ parameter. | 2025-12-05 | 5.3 | CVE-2025-13528 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3341c29-a69e-4618-a8a5-11f4141ff88f?source=cve https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/trunk/inc/admin/main.php#L1011 https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/tags/1.0.1/inc/admin/main.php#L1011 |
| Nextcloud–Nextcloud | Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user’s browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis. | 2025-12-04 | 6.4 | CVE-2025-59788 | https://nextcloud.com https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r |
| nextcloud–security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | 2025-12-05 | 6.3 | CVE-2025-66551 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w787-vwqp-8wr7 https://github.com/nextcloud/tables/pull/1810 https://github.com/nextcloud/tables/commit/39f24a62fb41fd7a8bda65325f8bbafdc91c731c https://hackerone.com/reports/3137895 |
| nextcloud–security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page. | 2025-12-05 | 5.4 | CVE-2025-66512 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5 https://github.com/nextcloud/viewer/pull/3023 https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335b63 https://hackerone.com/reports/3357808 |
| nextcloud–security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4. | 2025-12-05 | 5.7 | CVE-2025-66550 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv https://github.com/nextcloud/calendar/pull/6971 https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769 https://hackerone.com/reports/3112033 |
| nextcloud–security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with “Can share” permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2. | 2025-12-05 | 5.4 | CVE-2025-66557 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv https://github.com/nextcloud/deck/pull/7131 https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae https://hackerone.com/reports/3247499 |
| nextcloud–security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts. | 2025-12-05 | 4.5 | CVE-2025-66510 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59 https://github.com/nextcloud/server/pull/55657 https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57 |
| nextcloud–security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3. | 2025-12-05 | 4.8 | CVE-2025-66511 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27 https://github.com/nextcloud/calendar/pull/7659 https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb https://hackerone.com/reports/3385434 |
| nextcloud–security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | 2025-12-05 | 4.3 | CVE-2025-66513 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw https://github.com/nextcloud/tables/pull/2148 https://github.com/nextcloud/tables/commit/b92b9560b1e70a02b103a7aeb9e22e2ab5231873 https://hackerone.com/reports/3334165 |
| nextcloud–security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66547 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2 https://github.com/nextcloud/server/issues/51247 https://github.com/nextcloud/server/pull/51288 https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9 https://hackerone.com/reports/3040887 |
| nextcloud–security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66552 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x https://github.com/nextcloud/server/pull/50992 https://github.com/nextcloud/server/commit/7cc005c43c72bc384848cf8cb851895827c412f6 https://hackerone.com/reports/2890071 |
| nextcloud–security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | 2025-12-05 | 4.3 | CVE-2025-66553 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p53h-6294-crjw https://github.com/nextcloud/tables/pull/1891 https://github.com/nextcloud/tables/commit/e975f5bfedb6922f04cdd236cde4e26067fe064e https://hackerone.com/reports/3138721 |
| nutzam–NutzBoot | A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-01 | 4.3 | CVE-2025-13804 | VDB-333814 | nutzam NutzBoot Ethereum Wallet EthModule.java information disclosure VDB-333814 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692050 | NutzBoot project NutzBoot NutzBoot 2.6.0-SNAPSHOT Information Disclosure (Wallet password leakage) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md#vulnerability-details-and-poc |
| omnipressteam–Omnipress | The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-12-05 | 6.4 | CVE-2025-12163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15aabe3b-1b77-4e4e-9710-cf06924dbcbf?source=cve https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/RestApi/Controllers/V1/FileUploadRestController.php#L57 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L85 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L106 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/Core/RestControllersBase.php#L81 https://cwe.mitre.org/data/definitions/434.html https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload |
| opsre–go-ldap-admin | A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. | 2025-12-03 | 5.6 | CVE-2025-13948 | VDB-334163 | opsre go-ldap-admin JWT docker-compose.yaml hard-coded key VDB-334163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692213 | https://github.com/opsre https://github.com/opsre/go-ldap-admin Latest Authorization Bypass https://gist.github.com/H2u8s/a51ac1fe38d62746d1425b70ff49420c |
| optimizingmatters–Autoptimize | The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the “create_img_preload_tag” function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed5bdb3-c4cd-4982-bc47-feeff527e284?source=cve https://plugins.trac.wordpress.org/changeset/3401333/autoptimize |
| orionsec–orion-ops | A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoController.java of the component SSH Connection Handler. Such manipulation of the argument host/sshPort/username/password/authType leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13809 | VDB-333819 | orionsec orion-ops SSH Connection MachineInfoController.java server-side request forgery VDB-333819 | CTI Indicators (IOB, IOC, IOA) Submit #692069 | orionsec (project owner of Orion-ops) Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md#proof-of-concept |
| orionsec–orion-ops | A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java of the component API. The manipulation results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13807 | VDB-333817 | orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization VDB-333817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692066 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Access Control / Information Disclosure (exposed machin https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md#proof-of-concept |
| ovologics–PDF Catalog for WooCommerce | The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pdfcatalog’ AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 5.4 | CVE-2025-12191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5f5e33-e066-4a85-9367-4b8c2f948adf?source=cve https://wordpress.org/plugins/pdf-catalog-for-woocommerce/ |
| passionui–Listar Directory Listing & Classifieds WordPress Plugin | The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘/wp-json/listar/v1/place/delete’ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | 2025-12-06 | 4.3 | CVE-2025-12574 | https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| passionui–Listar Directory Listing & Classifieds WordPress Plugin | The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘/wp-json/listar/v1/place/save’ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details. | 2025-12-06 | 4.3 | CVE-2025-12577 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| paulepro2019–EPROLO Dropshipping | The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | 2025-12-05 | 4.3 | CVE-2025-12133 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve https://wordpress.org/plugins/eprolo-dropshipping/ |
| PDF-XChange Co. Ltd–PDF-XChange Editor | An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. | 2025-12-02 | 6.5 | CVE-2025-58113 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2280 |
| phegman–Trail Manager | The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-13682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb43502e-dedd-46ff-b8e8-68298779f125?source=cve https://wordpress.org/plugins/trail-manager/ |
| pntrinh–TR Timthumb | The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13899 | https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39 https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39 |
| posimyththemes–Nexter Extension Site Enhancements Toolkit | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘nxt-year’ shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13731 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809cd97c-22ea-49e7-be46-688fefe50236?source=cve https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L66 https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L136 https://plugins.trac.wordpress.org/changeset?old=3402155&old_path=nexter-extension%2Ftags%2F4.4.1%2Finclude%2Fclass-nexter-load-ext.php&new=3403967&new_path=nexter-extension%2Ftags%2F4.4.2%2Finclude%2Fclass-nexter-load-ext.php |
| projectopia–Projectopia WordPress Project Management | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | 2025-12-05 | 5.3 | CVE-2025-12876 | https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389 |
| ProudMuBai–GoFilm | A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-03 | 6.3 | CVE-2025-13949 | VDB-334164 | ProudMuBai GoFilm FileController.go SingleUpload unrestricted upload VDB-334164 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692774 | GoFilm 1.0.1 Unrestricted Upload https://github.com/yzlala1147/cve/issues/1 |
| Rareprob–HD Video Player All Formats App | A security vulnerability has been detected in Rareprob HD Video Player All Formats App 12.1.372 on Android. Impacted is an unknown function of the component com.rocks.music.videoplayer. The manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.3 | CVE-2025-13876 | VDB-334032 | Rareprob HD Video Player All Formats App com.rocks.music.videoplayer path traversal VDB-334032 | CTI Indicators (IOB, IOC, TTP) Submit #692169 | RAREPROB SOLUTIONS PRIVATE LIMITED HD Video Player All Formats APP(com.rocks.music.videoplayer) V12.1.372 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/HD%20Video%20Player%20All%20Formats/HD%20Video%20Player%20All%20Formats%20APP%20Arbitrary%20File%20Overwrite%20Vulnerability.md |
| Rarlab–RAR App | A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: “This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (…) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn’t affected.” | 2025-12-05 | 5 | CVE-2025-14111 | VDB-334491 | Rarlab RAR App com.rarlab.rar path traversal VDB-334491 | CTI Indicators (IOB, IOC, TTP) Submit #697375 | Rarlab RAR APP(com.rarlab.rar) <=V7.11.build127 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md |
| realloc–myLCO | The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/132efd40-1c90-4d2a-a87c-504526b7a7d4?source=cve https://wordpress.org/plugins/mylco https://plugins.trac.wordpress.org/browser/mylco/trunk/myLCO.php#L438 https://plugins.trac.wordpress.org/browser/mylco/tags/0.8.1/myLCO.php#L438 |
| realmag777–HUSKY Products Filter Professional for WooCommerce | The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the “woof_add_query” and “woof_remove_query” functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user’s profile, including administrators. | 2025-12-03 | 4.3 | CVE-2025-13109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41de?source=cve https://plugins.trac.wordpress.org/changeset/3400527 |
| Red Hat–Red Hat Ceph Storage 5 | A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access. | 2025-12-04 | 5.5 | CVE-2025-14010 | https://access.redhat.com/security/cve/CVE-2025-14010 RHBZ#2418774 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | 2025-12-05 | 6.1 | CVE-2025-14104 | https://access.redhat.com/security/cve/CVE-2025-14104 RHBZ#2419369 |
| Red Hat–Red Hat OpenShift Dev Spaces | A container privilege escalation flaw was found in certain CodeReady Workspaces images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2025-12-02 | 5.2 | CVE-2025-57850 | https://access.redhat.com/security/cve/CVE-2025-57850 RHBZ#2391103 |
| roselldk–WebP Express | The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data. | 2025-12-04 | 5.3 | CVE-2025-11379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c28479bf-768a-4ab4-8e74-ad367b9b744f?source=cve https://wordpress.org/plugins/webp-express/ |
| roxnor–ShopEngine Elementor WooCommerce Builder Addon All in One WooCommerce Solution | The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the “post_add_to_list” function as well as an incorrect permissions callback in the “Api/init” function. This makes it possible for unauthenticated attackers to add or remove products from a user’s wishlist via a forged request granted they can trick a site’s user into performing an action such as clicking on a link. | 2025-12-03 | 4.3 | CVE-2025-12358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve https://plugins.trac.wordpress.org/changeset/3401226/shopengine |
| roxnor–Wp Social Login and Register Social Counter | The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests. | 2025-12-05 | 5.3 | CVE-2025-13620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa205d7-61ce-4ab9-b532-fd0b46b0f6a0?source=cve https://plugins.trac.wordpress.org/changeset/3402340/wp-social/tags/3.1.4/inc/admin-rest-api.php |
| saadiqbal–Post SMTP Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App | The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the ‘handle_gmail_oauth_redirect’ function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | 2025-12-03 | 5.4 | CVE-2025-12887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd9f312-99e1-4dc2-855d-90339c2e24da?source=cve https://plugins.trac.wordpress.org/changeset/3402203 |
| Samsung Mobile–Galaxy Store for Galaxy Watch | Improper export of android application components in Galaxy Store for Galaxy Watch prior to version 1.0.06.29 allows local attacker to install arbitrary application on Galaxy Store. | 2025-12-02 | 5.9 | CVE-2025-58483 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Account | Improper input validation in Samsung Account prior to version 15.5.01.1 allows local attacker to execute arbitrary script. | 2025-12-02 | 4 | CVE-2025-58486 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Account | Improper authorization in Samsung Account prior to version 15.5.01.1 allows local attacker to launch arbitrary activity with Samsung Account privilege. | 2025-12-02 | 4 | CVE-2025-58487 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Cloud Assistant | Incorrect default permissions in Samsung Cloud Assistant prior to version 8.0.03.8 allows local attacker to access partial data in sandbox. | 2025-12-02 | 4 | CVE-2025-58484 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Internet | Improper input validation in Samsung Internet prior to version 29.0.0.48 allows local attackers to inject arbitrary script. | 2025-12-02 | 5.5 | CVE-2025-58485 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen’s privilege. | 2025-12-02 | 6.2 | CVE-2025-21080 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Out-of-bounds write in decoding metadata in fingerprint trustlet prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.7 | CVE-2025-21072 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.6 | CVE-2025-58475 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Out-of-bounds read vulnerability in bootloader prior to SMR Dec-2025 Release 1 allows physical attackers to access out-of-bounds memory. | 2025-12-02 | 4.2 | CVE-2025-58476 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58477 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Out-of-bounds write in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58478 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Out-of-bounds read in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58479 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–Samsung Mobile Devices | Heap-based buffer overflow in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58480 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile–SmartTouchCall | Improper verification of source of a communication channel in SmartTouchCall prior to version 1.0.1.1 allows remote attackers to access sensitive information. User interaction is required for triggering this vulnerability. | 2025-12-02 | 4.5 | CVE-2025-58488 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co.–Onaylarm | Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse.This issue affects Onaylarım: from 25.09.26.01 through 18112025. | 2025-12-01 | 4.3 | CVE-2025-13129 | https://www.usom.gov.tr/bildirim/tr-25-0422 |
| SGAI–Space1 NAS N1211DS | A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14184 | VDB-334604 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI NGNIX_UPLOAD command injection VDB-334604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698568 | SGAI N1211DS NAS v1.0.915 Command Injection Submit #698569 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) Submit #698570 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) https://www.notion.so/2b16cf4e528a80858abbf62b721a54b0 https://www.notion.so/2b16cf4e528a80f2ada9dc83651a4013 |
| SGAI–Space1 NAS N1211DS | A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 4.3 | CVE-2025-14183 | VDB-334603 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI GET_USER_INFO credentials storage VDB-334603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698566 | SGAI N1211DS NAS v1.0.915 Improper Authentication Submit #698567 | SGAI N1211DS NAS v1.0.915 Improper Authentication (Duplicate) https://www.notion.so/2b16cf4e528a8000b30bd543247fa1bd https://www.notion.so/2b16cf4e528a80859264db63f2340d7a |
| siamlottery–Thai Lottery Widget | The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/949eb9d6-0c8f-43f1-8580-998ea78c9549?source=cve https://plugins.trac.wordpress.org/browser/thai-lottery-widget/trunk/thailottery.php#L330 https://plugins.trac.wordpress.org/browser/thai-lottery-widget/tags/2.5/thailottery.php#L330 |
| smackcoders–Export All Posts, Products, Orders, Refunds & Users | The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 6.5 | CVE-2025-13606 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve https://plugins.trac.wordpress.org/changeset/3405694/ |
| smallstep–certificates | Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0. | 2025-12-03 | 5 | CVE-2025-66406 | https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79×7-8hpr |
| Sobey–Media Convergence System | A vulnerability has been found in Sobey Media Convergence System 2.0/2.1. This vulnerability affects unknown code of the file /sobey-mchEditor/watermark/upload. The manipulation of the argument File leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14182 | VDB-334602 | Sobey Media Convergence System upload path traversal VDB-334602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698561 | Chengdu Sobey Digital Technology Co., Ltd. Sobey Media Convergence System V2.0-2.1 Uploaded File https://github.com/hacker-routing/cve/issues/1 |
| Socomec–DIRIS Digiware M-70 | A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | 2025-12-01 | 5.9 | CVE-2024-48894 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2115 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48894—Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-22-18_English_0.pdf |
| softdiscover–Zigaform Price Calculator & Cost Estimation Form Builder Lite | The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values. | 2025-12-02 | 5.3 | CVE-2025-13696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567?source=cve https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/trunk/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/tags/7.6.5/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&new=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&sfp_email=&sfph_mail= https://github.com/Softdiscover/Zigaform-WP-Cost-Estimator-Lite/commit/f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8 |
| sozan45–Ultra Skype Button | The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘btn_id’ parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20b3c88f-a0df-4814-83b6-27440c5ad38e?source=cve https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L44 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L44 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities. | 2025-12-03 | 5.3 | CVE-2025-20384 | https://advisory.splunk.com/advisories/SVD-2025-1203 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the “admin” or “power” Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert. | 2025-12-03 | 4.3 | CVE-2025-20383 | https://advisory.splunk.com/advisories/SVD-2025-1202 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS). | 2025-12-03 | 4.3 | CVE-2025-20389 | https://advisory.splunk.com/advisories/SVD-2025-1208 |
| Splunk–Splunk MCP Server | In Splunk MCP Server app versions below 0.2.4, a user with access to the “run_splunk_query” Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions. | 2025-12-03 | 5.4 | CVE-2025-20381 | https://advisory.splunk.com/advisories/SVD-2025-1210 |
| Sprecher Automation–SPRECON-E-C | Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes. | 2025-12-02 | 4 | CVE-2025-41743 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stevejburge–Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the “getTermsForAjax” function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors). | 2025-12-03 | 6.5 | CVE-2025-13359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9bebdc0-1625-4dc4-8c92-37f379868cd5?source=cve https://github.com/TaxoPress/TaxoPress/commit/1097a22181aa10ce55cc9cd5fa8495f7494e18ea |
| stevejburge–Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘existing_terms_orderby’ parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques. | 2025-12-06 | 6.5 | CVE-2025-13922 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f40cc632-c6af-4c8b-a455-76319f7fe151?source=cve https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/inc/class.admin.php#L1406 https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L180 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3408243%40simple-tags%2Ftrunk&old=3388829%40simple-tags%2Ftrunk&sfp_email=&sfph_mail=#file17 |
| stevejburge–Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the “taxopress_merge_terms_batch” function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | 2025-12-03 | 4.3 | CVE-2025-13354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0 |
| sumotto–CSV Sumotto | The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6aa8089-1c29-41ef-b2c0-06841751f7a5?source=cve https://plugins.trac.wordpress.org/browser/csv-sumotto/trunk/csv_sumotto_settings.php#L53 |
| Sunbird–DCIM dcTrack | DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host. | 2025-12-04 | 6.7 | CVE-2025-66237 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| switch2mac–WP-SOS-Donate Donation Sidebar Plugin | The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13625 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5123c672-e769-4d44-9912-e159d3e186c1?source=cve https://wordpress.org/plugins/wp-sos-donate/ https://plugins.trac.wordpress.org/browser/wp-sos-donate/trunk/wp-sos-donate_options.php#L45 https://plugins.trac.wordpress.org/browser/wp-sos-donate/tags/0.9.2/wp-sos-donate_options.php#L45 |
| sylabs–singularity | SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5. | 2025-12-02 | 4.5 | CVE-2025-64750 | https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/pull/3850 https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33 https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0 https://github.com/advisories/GHSA-fh74-hm69-rqjw |
| Synaptics–Synaptics Fingerprint Driver | A carefully crafted DLL, copied to C:ProgramDataSynaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | 2025-12-01 | 6.6 | CVE-2025-11772 | https://www.synaptics.com/sites/default/files/2025-12/fingerprint-driver-co-installer-security-brief-2025-12-01.pdf |
| Synology–BeeDrive for desktop | Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | 2025-12-04 | 5.6 | CVE-2025-8074 | Synology-SA-25:09 BeeDrive for desktop |
| Synology–DiskStation Manager (DSM) | Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. | 2025-12-04 | 4.3 | CVE-2024-5401 | Synology-SA-24:27 DSM |
| Synology–Synology Mail Server | A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | 2025-12-04 | 6.3 | CVE-2025-2848 | Synology-SA-25:05 Mail Server |
| Synology–Synology Router Manager (SRM) | A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files. | 2025-12-04 | 5.4 | CVE-2025-29843 | Synology-SA-25:04 SRM |
| Synology–Synology Router Manager (SRM) | A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information. | 2025-12-04 | 4.3 | CVE-2025-29844 | Synology-SA-25:04 SRM |
| Synology–Synology Router Manager (SRM) | A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. | 2025-12-04 | 4.3 | CVE-2025-29845 | Synology-SA-25:04 SRM |
| takeads–Takeads | The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin’s configuration options. | 2025-12-05 | 4.3 | CVE-2025-12370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f3619d9-7572-439e-a284-d59ef5de08f3?source=cve https://plugins.trac.wordpress.org/browser/monetize-link/tags/1.0.13/src/MLP_Ajax.php#L8 |
| teamdream–dream gallery | The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the ‘dreampluginsmain’ AJAX action. This makes it possible for unauthenticated attackers to update the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13621 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cdf6ba0-2866-4347-8518-bb1d2e40bab3?source=cve https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L254 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L257 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/templates/front.php#L38 https://plugins.trac.wordpress.org/browser/dream-gallery/trunk/dreamgallery.php#L254 |
| techjewel–Fluent Booking The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the “importCalendar” function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them. | 2025-12-03 | 4.3 | CVE-2025-13756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7860dfa8-de76-4ca3-bd80-98550afab56b?source=cve https://plugins.trac.wordpress.org/changeset/3404176/fluent-booking/tags/1.10.0/app/Hooks/Handlers/DataImporter.php |
| techjewel–Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the ‘submission_id’ parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier. | 2025-12-06 | 5.3 | CVE-2025-13748 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php |
| Tekrom Technology Inc.–T-Soft E-Commerce | Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025. | 2025-12-01 | 5.4 | CVE-2025-13296 | https://www.usom.gov.tr/bildirim/tr-25-0421 |
| themeisle–Visualizer: Tables and Charts Manager for WordPress | The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘query’ parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability. | 2025-12-02 | 6.5 | CVE-2025-12483 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499 https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail= |
| torod–Torod The smart shipping and delivery portal for e-shops and retailers | The Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12373 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80 |
| TOZED–ZLT M30S | A vulnerability was determined in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. This impacts an unknown function of the file /reqproc/proc_post of the component Web Interface. Executing manipulation of the argument goformId with the input REBOOT_DEVICE can lead to denial of service. The attack can only be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.3 | CVE-2025-14105 | VDB-334487 | TOZED ZLT M30S/ZLT M30S PRO Web proc_post denial of service VDB-334487 | CTI Indicators (IOB, IOC, IOA) Submit #696740 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Denial of Service https://youtu.be/RNgsrnPPxgQ |
| tunilame–CSS3 Buttons | The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘button’ shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c1f71ffb-f09c-40f6-b65e-af30ce155466?source=cve https://plugins.trac.wordpress.org/browser/css3-buttons/trunk/css3-buttons.php#L59 https://plugins.trac.wordpress.org/browser/css3-buttons/tags/0.1/css3-buttons.php#L59 |
| Tyche Softwares–Arconix Shortcodes | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19. | 2025-12-01 | 6.5 | CVE-2025-13835 | https://vdp.patchstack.com/database/wordpress/plugin/arconix-shortcodes/vulnerability/wordpress-arconix-shortcodes-plugin-2-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TykoDev–cherry-studio-TykoFork | A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14204 | VDB-334647 | TykoDev cherry-studio-TykoFork OAuth Server Discovery oauth-authorization-server redirectToAuthorization os command injection VDB-334647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700182 | GitHub cherry-studio-TykoFork 0.0.1 OS Command Injection https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0 |
| UTT– 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/websHostFilter. Performing manipulation of the argument addHostFilter results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 6.5 | CVE-2025-14140 | VDB-334528 | UTT è¿›å– 520W websHostFilter strcpy buffer overflow VDB-334528 | CTI Indicators (IOB, IOC, IOA) Submit #698521 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/12.md https://github.com/cymiao1978/cve/blob/main/new/12.md#poc |
| UTT– 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 5.7 | CVE-2025-14139 | VDB-334527 | UTT è¿›å– 520W formConfigDnsFilterGlobal strcpy buffer overflow VDB-334527 | CTI Indicators (IOB, IOC, IOA) Submit #698520 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/11.md https://github.com/cymiao1978/cve/blob/main/new/11.md#poc |
| Verysync– | A flaw has been found in Verysync 微力åŒæ¥ up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14199 | VDB-334619 | Verysync 微力åŒæ¥ Web Administration text.txt unrestricted upload VDB-334619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699539 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Upload Any File https://github.com/jjjjj-zr/jjjjjzr/issues/10 |
| Verysync– | A security vulnerability has been detected in Verysync 微力åŒæ¥ up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14197 | VDB-334617 | Verysync 微力åŒæ¥ Web Administration f96956469e7be39d information disclosure VDB-334617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699498 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Unauthorized Access Submit #699537 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Arbitrary File Read (Duplicate) https://github.com/jjjjj-zr/jjjjjzr/issues/6 https://github.com/jjjjj-zr/jjjjjzr/issues/8 |
| Verysync– | A vulnerability was detected in Verysync 微力åŒæ¥ 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14198 | VDB-334618 | Verysync 微力åŒæ¥ Web Administration download information disclosure VDB-334618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699533 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Download any file https://github.com/jjjjj-zr/jjjjjzr/issues/7 |
| voidek–Voidek Employee Portal | The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. | 2025-12-05 | 5.3 | CVE-2025-12093 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d33b83d5-cfc0-48b6-a54e-1ae8ac52aae1?source=cve https://wordpress.org/plugins/voidek-employee-portal/ |
| watchful–Backup, Restore and Migrate your sites with XCloner | The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | 2025-12-05 | 4.3 | CVE-2025-11759 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore |
| wcvendors–WC Vendors WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors | The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12130 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php |
| webdevstudios–Custom Post Type UI | The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the “cptui_process_post_type” function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations. | 2025-12-04 | 4.8 | CVE-2025-12826 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9 |
| webradykal–Easy Jump Links Menus | The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13860 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e88dc0-4798-4da8-87cf-4c398acc622c?source=cve https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/trunk/easy-jump-links-menus.php#L52 https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/tags/1.0.0/easy-jump-links-menus.php#L52 |
| wedevs–weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings. | 2025-12-06 | 5.4 | CVE-2025-12505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail= |
| Wireshark Foundation–Wireshark | HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13945 | https://www.wireshark.org/security/wnpa-sec-2025-07.html GitLab Issue #20860 |
| Wireshark Foundation–Wireshark | MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13946 | https://www.wireshark.org/security/wnpa-sec-2025-08.html GitLab Issue #20884 |
| wpblockart–BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’ attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13697 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b91364fa-7046-427f-84ee-6a36d49bb80f?source=cve https://plugins.trac.wordpress.org/changeset/3404884/ |
| wpdevelop–Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin ‘bookingcalendar’ shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12804 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad993a62-457a-494f-a7c8-256b808d18c0?source=cve https://plugins.trac.wordpress.org/changeset/3391614/booking |
| wpdiscover–Social Feed Gallery Portfolio | The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13896 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2a275deb-a0e3-491a-bed6-9f6112918061?source=cve https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L208 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L208 |
| wpeka-club–SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘surveyfunnel_lite_survey’ shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12417 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d13aadf-c144-4919-9bbd-54cb26cf2527?source=cve https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/public/class-surveyfunnel-lite-public.php#L240 https://developer.wordpress.org/apis/security/escaping/ |
| wpeka-club–SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses. | 2025-12-05 | 5.3 | CVE-2025-13006 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php |
| wpforchurch–Sermon Manager | The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41116b52-8f94-4d29-8845-a27bdf817b43?source=cve https://wordpress.org/plugins/sermon-manager-for-wordpress https://plugins.trac.wordpress.org/browser/sermon-manager-for-wordpress/tags/2.30.0/includes/vendor/entry-views.php#L114 |
| wpmanageninja–FluentCart A New Era of eCommerce Faster, Lighter, and Simpler | The FluentCart plugin for WordPress is vulnerable to SQL Injection via the ‘groupKey’ parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-03 | 4.9 | CVE-2025-13495 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2000b23f-d8a2-4b83-9bf7-b90cb16718f3?source=cve https://plugins.trac.wordpress.org/browser/fluent-cart/trunk/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/browser/fluent-cart/tags/1.3.0/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/changeset/3408039/fluent-cart/tags/1.3.2/app/Services/Report/ReportHelper.php |
| xbenx–WP Landing Page | The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the ‘wplp_api_update_text’ function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-06 | 4.3 | CVE-2025-13629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43d8576b-e6ad-4e0a-b99f-948ba36f53ff?source=cve https://plugins.trac.wordpress.org/browser/wp-landing-page/trunk/includes/wplp-api.php#L14 https://plugins.trac.wordpress.org/browser/wp-landing-page/tags/0.9.3/includes/wplp-api.php#L14 |
| xerrors–Yuxi-Know | A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion). | 2025-12-05 | 4.7 | CVE-2025-14116 | VDB-334492 | xerrors Yuxi-Know embed.py OtherEmbedding.aencode server-side request forgery VDB-334492 | CTI Indicators (IOB, IOC, IOA) Submit #697380 | xerrors Yuxi-Know Yuxi-Know ≤ 0.4.0 Server-Side Request Forgery https://www.notion.so/SSRF-vulnerablity-in-Yuxi-Know-2afea92a3c4180bea524f1a253f8d9a0?source=copy_link https://github.com/xerrors/Yuxi-Know/commit/0ff771dc1933d5a6b78f804115e78a7d8625c3f3 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by get_client_ip() in docker/main.cc, causing access and error logs (nginx_access_logger / nginx_error_logger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0. | 2025-12-05 | 5.3 | CVE-2025-66577 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-gfpf-r66f-5mh2 https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| Yohann0617–oci-helper | A weakness has been identified in Yohann0617 oci-helper up to 3.2.4. This issue affects the function addCfg of the file src/main/java/com/yohann/ocihelper/service/impl/OciServiceImpl.java of the component OCI Configuration Upload. Executing manipulation of the argument File can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 6.3 | CVE-2025-13875 | VDB-334031 | Yohann0617 oci-helper OCI Configuration Upload OciServiceImpl.java addCfg path traversal VDB-334031 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692125 | yohann( https://github.com/Yohann0617 ) oci-helper <=V3.2.4 Directory/Path Traversal https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md#proof-of-concept |
| Yonyou–U8 Cloud | A vulnerability was identified in Yonyou U8 Cloud 5.0/5.0sp/5.1/5.1sp. The affected element is an unknown function of the file nc/pubitf/erm/mobile/appservice/AppServletService.class. Such manipulation of the argument usercode leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14185 | VDB-334605 | Yonyou U8 Cloud AppServletService.class sql injection VDB-334605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698601 | Yonyou Network Technology Co., Ltd. U8 Cloud 5.0,5.0sp,5.1,5.1sp SQL Injection https://github.com/798xuezhiqian-collab/vuln01 |
| youlaitech–youlai-mall | A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-identified variables. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 6.3 | CVE-2025-14051 | VDB-334367 | youlaitech youlai-mall addresses deleteAddress improper control of dynamically-identified variables VDB-334367 | CTI Indicators (IOB, IOC, IOA) Submit #694827 | youlai-mall latest Improper Control of Resource Identifiers Submit #694836 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) Submit #694837 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/18 https://github.com/Hwwg/cve/issues/19 |
| youlaitech–youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14052 | VDB-334368 | youlaitech youlai-mall members getMemberById access control VDB-334368 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694854 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/21 |
| youlaitech–youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14085 | VDB-334476 | youlaitech youlai-mall orders improper control of dynamically-identified variables VDB-334476 | CTI Indicators (IOB, IOC, IOA) Submit #695943 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/23 |
| youlaitech–youlai-mall | A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14086 | VDB-334477 | youlaitech youlai-mall openid access control VDB-334477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695945 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/25 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| alokjaiswal–Hotel-Management-services-using-MYSQL-and-php | A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14200 | VDB-334620 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php Request Pending usersub.php cross site scripting VDB-334620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699993 | Hotel-Management-services-using-MYSQL-and-php web web 1 xxs vnlerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%202xxs.docx |
| alokjaiswal–Hotel-Management-services-using-MYSQL-and-php | A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 2.4 | CVE-2025-14201 | VDB-334621 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php dishsub.php cross site scripting VDB-334621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699994 | Hotel-Management-services-using-MYSQL-and-php web 1 web 1 XSS vulnerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%201%20xxs.docx |
| code-projects–Chamber of Commerce Membership Management System | A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-12-07 | 2.4 | CVE-2025-14205 | VDB-334648 | code-projects Chamber of Commerce Membership Management System Your Info membership_profile.php cross site scripting VDB-334648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700421 | code-projects Chamber of Commerce Membership Management System In PHP With Source Code V1.0 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/u42535181/pm5nde/ky49h1xg6si9d3m8#zdDXX https://code-projects.org/ |
| code-projects–Employee Profile Management System | A vulnerability was identified in code-projects Employee Profile Management System 1.0. This issue affects some unknown processing of the file /view_personnel.php. The manipulation of the argument per_address/dr_school/other_school leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-07 | 3.5 | CVE-2025-14194 | VDB-334614 | code-projects Employee Profile Management System view_personnel.php cross site scripting VDB-334614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699246 | code-projects Employee Profile Management System published November 15, 2025 Cross Site Scripting https://github.com/shenxianyuguitian/employee-management-XSS https://code-projects.org/ |
| dayrui–XunRuiCMS | A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 3.5 | CVE-2025-14006 | VDB-334248 | dayrui XunRuiCMS Add Data Validation admind45f74adbd95.php cross site scripting VDB-334248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692910 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Data%20Validation-XSS/xunruicms-Data%20Validation-XSS.md |
| dayrui–XunRuiCMS | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing manipulation of the argument data[name] can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14005 | VDB-334247 | dayrui XunRuiCMS Add Display Name Field admind45f74adbd95.php cross site scripting VDB-334247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692909 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Basic%20Settings-XSS/xunruicms-Basic%20Settings-XSS.md |
| dayrui–XunRuiCMS | A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2 | CVE-2025-14007 | VDB-334249 | dayrui XunRuiCMS Domain Name Binding admin79f2ec220c7e.php cross site scripting VDB-334249 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692914 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 URL redirection causing remote XSS https://github.com/24-2021/vul/blob/main/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS.md |
| envoyproxy–envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. | 2025-12-03 | 3.7 | CVE-2025-64763 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh |
| Grandstream–GXP1625 | A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14186 | VDB-334606 | Grandstream GXP1625 Network Status api.values.post cross site scripting VDB-334606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698650 | Grandstream GXP1625 1.0.7.4 xss https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing |
| hedgedoc–hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc’s OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don’t send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4. | 2025-12-05 | 3.7 | CVE-2025-66629 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv https://github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2b |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to | 2025-12-02 | 3.1 | CVE-2025-13870 | https://mattermost.com/security-updates |
| Medtronic–CareLink Network | Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 2.2 | CVE-2025-12997 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| n/a–JIZHICMS | A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14013 | VDB-334254 | JIZHICMS Comment addcomment.html cross site scripting VDB-334254 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694649 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 Storage XSS https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS.md |
| nextcloud–security-advisories | Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app’s message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code. | 2025-12-05 | 3.5 | CVE-2025-66514 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5 https://github.com/nextcloud/mail/pull/11740 https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09 https://hackerone.com/reports/3357036 |
| nextcloud–security-advisories | Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2. | 2025-12-05 | 3.5 | CVE-2025-66545 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m https://github.com/nextcloud/groupfolders/issues/4041 https://github.com/nextcloud/groupfolders/pull/4076 https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58 |
| nextcloud–security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1. | 2025-12-05 | 3.3 | CVE-2025-66546 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95 https://github.com/nextcloud/calendar/pull/7537 https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3 https://hackerone.com/reports/3275810 |
| nextcloud–security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1. | 2025-12-05 | 3.3 | CVE-2025-66548 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 https://github.com/nextcloud/deck/pull/6671 https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a https://hackerone.com/reports/2326618 |
| nextcloud–security-advisories | Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5. | 2025-12-05 | 3.5 | CVE-2025-66554 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2 https://github.com/nextcloud/contacts/pull/4619 https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1 https://hackerone.com/reports/3293290 |
| nextcloud–security-advisories | Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2. | 2025-12-05 | 3.5 | CVE-2025-66556 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh https://github.com/nextcloud/spreed/pull/15532 https://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725 https://hackerone.com/reports/3247386 |
| nextcloud–security-advisories | Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1. | 2025-12-05 | 3.1 | CVE-2025-66558 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q https://github.com/nextcloud/twofactor_webauthn/pull/881 https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d https://hackerone.com/reports/3360354 |
| nextcloud–security-advisories | The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | 2025-12-05 | 2.7 | CVE-2025-66515 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5 https://github.com/nextcloud/approval/pull/334 https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4 https://hackerone.com/reports/3338748 |
| nextcloud–security-advisories | Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5. | 2025-12-05 | 2.4 | CVE-2025-66549 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw https://github.com/nextcloud/desktop/pull/8330 https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6 https://hackerone.com/reports/3159877 |
| nutzam–NutzBoot | A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. | 2025-12-01 | 3.7 | CVE-2025-13805 | VDB-333815 | nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization VDB-333815 | CTI Indicators (IOB, IOC, IOA) Submit #692053 | Nutz Framework NutzBoot 2.6.0-SNAPSHOT Code Execution (Unauthenticated Java Deserialization) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md#vulnerability-details-and-poc |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2025-12-03 | 3.5 | CVE-2025-20382 | https://advisory.splunk.com/advisories/SVD-2025-1201 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | 2025-12-03 | 2.4 | CVE-2025-20385 | https://advisory.splunk.com/advisories/SVD-2025-1204 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. | 2025-12-03 | 2.7 | CVE-2025-20388 | https://advisory.splunk.com/advisories/SVD-2025-1207 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features. | 2025-12-05 | not yet calculated | CVE-2025-34256 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34257 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-defined |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored and later rendered in the map list without HTML sanitization. An attacker can inject malicious script into the area name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34258 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-plan |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map entry name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34259 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-building |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34260 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-schedule |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34261 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicegroups |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34262 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devices-name-agentid |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34263 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who view or interact with the affected rules, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34264 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-dog-agentid |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with the affected rule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34265 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-rulesengine |
| Advantech Co., Ltd.–WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34266 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY—-DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus |
| AI-QL–tuui | TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim’s machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4. | 2025-12-05 | not yet calculated | CVE-2025-66562 | https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3g https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1 https://github.com/AI-QL/tuui/releases/tag/v1.3.4 |
| airkeyboardapp–AirKeyboard iOS App | AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim’s iOS device in real-time without user interaction, resulting in full remote input control. | 2025-12-04 | not yet calculated | CVE-2025-66555 | Exploit Database Entry 52333 AirKeyboard Homepage Apple App Store Link https://www.vulncheck.com/advisories/airkeyboard-ios-app-105-remote-input-injection |
| AMS Development Corp.–GAMS | Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculate the checksum and generate a valid license to grant themselves full privileges without credentials or access to the source code, allowing them unrestricted access to GAMS’s mathematical models and commercial solvers. | 2025-12-02 | not yet calculated | CVE-2025-41086 | https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-gams-gams-development-corp https://www.gams.com/latest/docs/RN_51.html |
| angular–angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler’s internal security schema is incomplete, allowing attackers to bypass Angular’s built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17. | 2025-12-01 | not yet calculated | CVE-2025-66412 | https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49 https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a |
| anthropic-experimental–sandbox-runtime | Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16. | 2025-12-04 | not yet calculated | CVE-2025-66479 | https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47 https://github.com/anthropic-experimental/sandbox-runtime/commit/bea2930cc1db9c73a1b15acf6dc19c5261aec1f3 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93. | 2025-12-03 | not yet calculated | CVE-2025-66032 | https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3 |
| Apache Software Foundation–Apache bRPC | Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit. | 2025-12-01 | not yet calculated | CVE-2025-59789 | https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx |
| Apache Software Foundation–Apache HTTP Server | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-55753 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd=”…” directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-58098 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-59775 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-65082 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache HTTP Server | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-66200 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation–Apache Struts | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. | 2025-12-01 | not yet calculated | CVE-2025-64775 | https://cwiki.apache.org/confluence/display/WW/S2-068 |
| Apache Software Foundation–Apache Tika core | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module. | 2025-12-04 | not yet calculated | CVE-2025-66516 | https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k https://cve.org/CVERecord?id=CVE-2025-54988 |
| Arm Ltd–Valhall GPU Kernel Driver | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to expose sensitive data.This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0. | 2025-12-01 | not yet calculated | CVE-2025-2879 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd–Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-6349 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd–Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-8045 | https://developer.arm.com/documentation/110697/latest/ |
| Cacti–cacti | Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29. | 2025-12-02 | not yet calculated | CVE-2025-66399 | https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf |
| calcom–cal.com | Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8. | 2025-12-03 | not yet calculated | CVE-2025-66489 | https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98 |
| Canonical–python-apt | NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key. | 2025-12-05 | not yet calculated | CVE-2025-6966 | https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques. | 2025-12-01 | not yet calculated | CVE-2025-66313 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59f |
| Cloudflare–gokey | In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a “Forgot password” facility or a similar facility allowing users to rotate their password/secrets by sending a unique “magic” link to the user’s email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare’s bug bounty program. | 2025-12-02 | not yet calculated | CVE-2025-13353 | https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm |
| CollaboraOnline–online | Collabora Online – Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online – Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702. | 2025-12-03 | not yet calculated | CVE-2025-66208 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf |
| ColorOS–ColorOS | A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning. | 2025-12-05 | not yet calculated | CVE-2025-27389 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1996493715665068032 |
| Compass Plustechologies–TranzAxis | TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | 2025-12-04 | not yet calculated | CVE-2025-66574 | ExploitDB-52086 Compass Technologies Homepage https://www.vulncheck.com/advisories/tranzaxis-32411026-stored-cross-site-scripting-xss |
| Data Illusion Zumbrunn–NGSurvey | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * Password hashed with bcrypt * User IP * Email * Full Name | 2025-12-01 | not yet calculated | CVE-2025-13829 | https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28 |
| djangoproject–Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-13372 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| djangoproject–Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-64460 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| docker–mcp-gateway | MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue. | 2025-12-03 | not yet calculated | CVE-2025-64443 | https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e |
| Duc–Duc | A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read. | 2025-12-05 | not yet calculated | CVE-2025-13654 | https://github.com/zevv/duc/releases/tag/1.4.6 https://kb.cert.org/vuls/id/441887 https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc |
| Eclipse Foundation–paho.mqtt.golang (Go MQTT v3.1 library) | In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body). | 2025-12-02 | not yet calculated | CVE-2025-10543 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254 |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior. | 2025-12-02 | not yet calculated | CVE-2025-66409 | https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96 https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372 https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946 https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902 https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7 |
| ESTsoft–ALZip | Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29. | 2025-12-03 | not yet calculated | CVE-2025-29864 | https://altools.co.kr/product/ALZIP |
| fastify–fastify-reply-from | fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0. | 2025-12-01 | not yet calculated | CVE-2025-66415 | https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66 |
| FERMAX ELECTRNICA S.A.U–MeetMe | Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5. | 2025-12-02 | not yet calculated | CVE-2025-10971 | https://www.fermax.com/security-advisories |
| Flexsense–DiskBoss | Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the ‘sc qc’ command, allowing them to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2020-36879 | Exploit Database Entry 49022 DiskBoss Homepage DiskBoss Software Link https://www.vulncheck.com/advisories/flexsense-diskboss-service-unquoted-service-path-vulnerability |
| Flexsense–DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the ‘Reports and Data Directory’ field that allows an attacker to execute arbitrary code on the system. | 2025-12-05 | not yet calculated | CVE-2020-36880 | Exploit Database Entry 48689 Reference https://www.vulncheck.com/advisories/flexsense-diskboss-reports-and-data-directory-buffer-overflow |
| Flexsense–DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the ‘Input Directory’ component that allows unauthenticated attackers to execute arbitrary code on the system. Attackers can exploit this by pasting a specially crafted directory path into the ‘Add Input Directory’ field. | 2025-12-05 | not yet calculated | CVE-2020-36881 | Exploit Database Entry 48279 Official Product Homepage Software Link Download GitHub Repository https://www.vulncheck.com/advisories/flexsense-diskboss-add-input-directory-buffer-overflow |
| Flexsense–DiskBoss | Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application. | 2025-12-05 | not yet calculated | CVE-2020-36882 | Exploit Database Entry 48276 Official Vendor Homepage Software Download Link https://www.vulncheck.com/advisories/flexsense-diskboss-denial-of-service-by-crashing-the-application |
| flipped-aurora–gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the ‘FileMd5’ parameter to delete any file and folder. | 2025-12-01 | not yet calculated | CVE-2025-66410 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7 https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6 |
| frappe–lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API’s. This vulnerability is fixed in 2.41.0. | 2025-12-05 | not yet calculated | CVE-2025-66581 | https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m |
| FreePBX–security-reporting | ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | 2025-12-03 | not yet calculated | CVE-2025-62173 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-q3h9-fmpr-vpfw |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66294 | https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66297 | https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6 https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66298 | https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66301 | https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh |
| getgrav–grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the “Languages” submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted-such as a single forward slash (/) or an XSS test string-it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66305 | https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66308 | https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66309 | https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page’s frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66310 | https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66311 | https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav–grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66312 | https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| Go standard library–crypto/x509 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | 2025-12-03 | not yet calculated | CVE-2025-61727 | https://go.dev/cl/723900 https://go.dev/issue/76442 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4175 |
| Go standard library–crypto/x509 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | 2025-12-02 | not yet calculated | CVE-2025-61729 | https://go.dev/cl/725920 https://go.dev/issue/76445 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4155 |
| Google Cloud–Apigee hybrid Javacallout policy | A vulnerability exists in Google Apigee’s JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+ | 2025-12-05 | not yet calculated | CVE-2025-13426 | https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025 |
| Google Cloud–Apigee-X | A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this. | 2025-12-06 | not yet calculated | CVE-2025-13292 | https://docs.cloud.google.com/apigee/docs/release-notes#October_16_2025 |
| Google–Chrome | Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13630 | |
| Google–Chrome | Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High) | 2025-12-02 | not yet calculated | ||
| Google–Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13632 | |
| Google–Chrome | Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13633 | |
| Google–Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13634 | |
| Google–Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13635 | |
| Google–Chrome | Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13636 | |
| Google–Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13637 | |
| Google–Chrome | Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13638 | |
| Google–Chrome | Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13639 | |
| Google–Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical access to the device. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13640 | |
| Google–Chrome | Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13720 | |
| Google–Chrome | Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13721 | |
| Google–Chrome | Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-03 | not yet calculated | CVE-2025-13992 | |
| Horde–Groupware | Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user. | 2025-12-02 | not yet calculated | CVE-2025-41066 | https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware |
| HP Inc–HP Image Assistant | A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages. | 2025-12-03 | not yet calculated | CVE-2025-13492 | https://support.hp.com/us-en/document/ish_13505078-13505143-16/hpsbgn04078 |
| IDI Eikon–Governalia | Reflected Cross-Site Scripting (XSS) in IDI Eikon’s Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim’s browser when a malicious URL with the ‘q’ parameter in ‘/search’ is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | 2025-12-02 | not yet calculated | CVE-2025-40700 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-governalia-idi-eikon https://governalia.es/ |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use. | 2025-12-01 | not yet calculated | CVE-2025-58408 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| IndigoSTAR Software–perl2exe | perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized access. | 2025-12-04 | not yet calculated | CVE-2024-58278 | ExploitDB-51825 IndigoSTAR Software Homepage IndigoSTAR Software Download Page https://www.vulncheck.com/advisories/indigostar-software-perl2exe-v3010c-arbitrary-code-execution |
| Industrial Video & Control–Longwatch | A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges. | 2025-12-02 | not yet calculated | CVE-2025-13658 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01 |
| Iskra–iHUB and iHUB Lite | The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings. | 2025-12-02 | not yet calculated | CVE-2025-13510 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02 |
| jpylypiw–Easywall | Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server. | 2025-12-04 | not yet calculated | CVE-2024-58275 | ExploitDB-51856 Easywall Homepage Easywall GitHub Repository https://www.vulncheck.com/advisories/easywall-031-authentication-bypass-via-command-injection-in-ports-save-endpoint |
| JumpCloud Inc.–Remote Assist | JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITYSYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle. | 2025-12-02 | not yet calculated | CVE-2025-34352 | https://jumpcloud.com/platform/remote-assistance https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory |
| jumpserver–jumpserver | JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5. | 2025-12-01 | not yet calculated | CVE-2025-58044 | https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b |
| Langflow–Langflow | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins=’*’ with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints – including built-in code-execution functionality – allowing the attacker to execute arbitrary code and achieve full system compromise. | 2025-12-05 | not yet calculated | CVE-2025-34291 | https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform https://github.com/langflow-ai/langflow https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce |
| laradashboard–laradashboard | LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution. | 2025-12-04 | not yet calculated | CVE-2025-66509 | https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82 https://github.com/laradashboard/laradashboard/commit/cc42f9cdf8e59bce794ee2d812a9709b1e6efa87 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X’s cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B’s listener and sk-C are not in-flight. 3-c decrements sk-A’s file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <– Wrong! && sk-A’s file refcnt == unix_sk(sk-A)->vertex->out_degree ^– 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let’s track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex’s scc_index. This way, we can continue to avoid Tarjan’s algorithm while preventing misjudgments. | 2025-12-04 | not yet calculated | CVE-2025-40214 | https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (“xfrm: destroy xfrm_state synchronously on net exit path”) is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (“tcp: drop secpath at the same time as we currently drop dst”)). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can’t guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we’re going to lock x->tunnel while x is locked. | 2025-12-04 | not yet calculated | CVE-2025-40215 | https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don’t rely on user vaddr alignment There is no guaranteed alignment for user pointers, however the calculation of an offset of the first page into a folio after coalescing uses some weird bit mask logic, get rid of it. | 2025-12-04 | not yet calculated | CVE-2025-40216 | https://git.kernel.org/stable/c/50998b0ae7d9d552e96d8b7239981cf05f65eff5 https://git.kernel.org/stable/c/f16769241594be59387b56ab525e327f54377e60 https://git.kernel.org/stable/c/3a3c6d61577dbb23c09df3e21f6f9eda1ecd634b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now. | 2025-12-04 | not yet calculated | CVE-2025-40217 | https://git.kernel.org/stable/c/bf0fbf5e8b0aff8a4a0fb35e32b10083baa83c04 https://git.kernel.org/stable/c/3c17001b21b9f168c957ced9384abe969019b609 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON’s virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN. pte_offset_map_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel. Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem. | 2025-12-04 | not yet calculated | CVE-2025-40218 | https://git.kernel.org/stable/c/677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf https://git.kernel.org/stable/c/ac42320ec873bfe726141069cfdd90ee5bc4e885 https://git.kernel.org/stable/c/0ccd91cf749536d41307a07e60ec14ab0dbf21f5 https://git.kernel.org/stable/c/b93af2cc8e036754c0d9970d9ddc47f43cc94b9f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 (“PCI: Add global pci_lock_rescan_remove()”) such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc (“PCI/IOV: Factor out sriov_add_vfs()”) factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_rescan_remove_lock and checks whether the struct pci_dev still exists, the lack of synchronization makes this checking racy. Other races may also be possible of course though given that this lack of locking persisted so long observable races seem very rare. Even on s390 the list corruption was only observed with certain devices since the platform events are only triggered by config accesses after the removal, so as long as the removal finished synchronously they would not race. Either way the locking is missing so fix this by adding it to the sriov_del_vfs() helper. Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() including for the error case where pci_stop_and_remove_bus_device() is called without the PCI rescan-remove lock being held. Even in the non-error case, adding new PCI devices and buses should be serialized via the PCI rescan-remove lock. Add the necessary locking. | 2025-12-04 | not yet calculated | CVE-2025-40219 | https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01 https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8 https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847 https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there’s nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: “By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren’t any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. | 2025-12-04 | not yet calculated | CVE-2025-40220 | https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948 https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35 https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049 https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use. | 2025-12-04 | not yet calculated | CVE-2025-40221 | https://git.kernel.org/stable/c/b7f82da7f86479cb6479a76ebe213ece7c77398f https://git.kernel.org/stable/c/b792eba44494b4e6ab5006013335f9819f303b8b https://git.kernel.org/stable/c/c0d3f6969bb4d72476cfe7ea9263831f1c283704 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI’s rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don’t use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ————[ cut here ]———— Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 —[ end trace 0000000000000000 ]— | 2025-12-04 | not yet calculated | CVE-2025-40222 | https://git.kernel.org/stable/c/2ec9bbd09a6cdf5b8c726be34f29630faf585d07 https://git.kernel.org/stable/c/ef8fef45c74b5a0059488fda2df65fa133f7d7d0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below. | 2025-12-04 | not yet calculated | CVE-2025-40223 | https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809 https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6 https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1 https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly. | 2025-12-04 | not yet calculated | CVE-2025-40224 | https://git.kernel.org/stable/c/240b82b86a091c1aa49d951d4467425420a081a0 https://git.kernel.org/stable/c/a09a5aa8bf258ddc99a22c30f17fe304b96b5350 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that’s why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178 | 2025-12-04 | not yet calculated | CVE-2025-40225 | https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645 https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters. | 2025-12-04 | not yet calculated | CVE-2025-40226 | https://git.kernel.org/stable/c/d719ce9f286c439795cd2beee4c91f12b84bc5a0 https://git.kernel.org/stable/c/e088efcd97cb7c7297d166bb52c3b87a29f6a0b1 https://git.kernel.org/stable/c/554c9d5c6c695aedaecfb4365c187102709397b0 https://git.kernel.org/stable/c/2290ab43b9d8eafb8046387f10a8dfa2b030ba46 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it. | 2025-12-04 | not yet calculated | CVE-2025-40227 | https://git.kernel.org/stable/c/ba236520ae53418859f4b7c7de3c71478d3c0b5a https://git.kernel.org/stable/c/139e7a572af0b45f558b5e502121a768dc328ba8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series “mm/damon/sysfs: fix commit test damon_ctx [de]allocation”. DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed. | 2025-12-04 | not yet calculated | CVE-2025-40228 | https://git.kernel.org/stable/c/5b3609d9b9650bdea0bfdf643e0ce57e1aed67fc https://git.kernel.org/stable/c/f0c5118ebb0eb7e4fd6f0d2ace3315ca141b317f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks. | 2025-12-04 | not yet calculated | CVE-2025-40229 | https://git.kernel.org/stable/c/ff8dcf621a4172f4a6d42cbbb25d21659d3ac300 https://git.kernel.org/stable/c/7071537159be845a5c4ed5fb7d3db25aa4bd04a3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through ‘mcelog –ascii’ mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic – not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue. | 2025-12-04 | not yet calculated | CVE-2025-40230 | https://git.kernel.org/stable/c/6fc0a7c99e973a50018c8b4be34914a1b5c7b383 https://git.kernel.org/stable/c/92acf4b04f255d2f0f6770bb0d0a208d8ffb2b77 https://git.kernel.org/stable/c/841a8bfcbad94bb1ba60f59ce34f75259074ae0d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (“vsock: Fix transport_* TOCTOU”) which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don’t need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won’t disappear by obtaining a module reference first via try_module_get(). | 2025-12-04 | not yet calculated | CVE-2025-40231 | https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5 https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162 https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80 https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rv: Fully convert enabled_monitors to use list_head as iterator The callbacks in enabled_monitors_seq_ops are inconsistent. Some treat the iterator as struct rv_monitor *, while others treat the iterator as struct list_head *. This causes a wrong type cast and crashes the system as reported by Nathan. Convert everything to use struct list_head * as iterator. This also makes enabled_monitors consistent with available_monitors. | 2025-12-04 | not yet calculated | CVE-2025-40232 | https://git.kernel.org/stable/c/8948a0338d33c4a7ef1e0c439a3ad1d5fe9355ae https://git.kernel.org/stable/c/103541e6a5854b08a25e4caa61e990af1009a52e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. | 2025-12-04 | not yet calculated | CVE-2025-40233 | https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5 https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007 https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357 https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1 https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44 https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep handlers Devices without the AWCC interface don’t initialize `awcc`. Add a check before dereferencing it in sleep handlers. | 2025-12-04 | not yet calculated | CVE-2025-40234 | https://git.kernel.org/stable/c/24c3812c9e817d19e4842d7495561594de1ddcb4 https://git.kernel.org/stable/c/a49c4d48c3b60926e6a8cec217bf95aa65388ecc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ————[ cut here ]———— BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (…) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 […] Call Trace: <TASK> btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d […] | 2025-12-04 | not yet calculated | CVE-2025-40235 | https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73 https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields. | 2025-12-04 | not yet calculated | CVE-2025-40236 | https://git.kernel.org/stable/c/b625d231c66a6041e98817ffc944bf6e4c45b2e3 https://git.kernel.org/stable/c/b2284768c6b32aa224ca7d0ef0741beb434f03aa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 ——– ——– generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/ | 2025-12-04 | not yet calculated | CVE-2025-40237 | https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656 https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496 https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030 https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff —truncated— | 2025-12-04 | not yet calculated | CVE-2025-40238 | https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691 https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1 https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception. | 2025-12-04 | not yet calculated | CVE-2025-40239 | https://git.kernel.org/stable/c/da1ef8e9eb5d4a12bec32d11636e521e7d529b9e https://git.kernel.org/stable/c/b093b06826b836c2824858669db080c190c04715 https://git.kernel.org/stable/c/399d10934740ae8cdaa4e3245f7c5f6c332da844 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it’s supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We’re sure that otherwise chunk->skb is non-NULL because of outer if() condition. | 2025-12-04 | not yet calculated | CVE-2025-40240 | https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9 https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016 https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1 https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: – The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; – The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then “cur [0xfffffffffffff000] += bvec.bv_len [0x1000]” in “} while ((cur += bvec.bv_len) < end);” wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this. | 2025-12-04 | not yet calculated | CVE-2025-40241 | https://git.kernel.org/stable/c/00d8fe0b72f4ca0a983abced36aad2160038c421 https://git.kernel.org/stable/c/a429b76114aaca3ef1aff4cd469dcf025431bd11 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn’t been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released. | 2025-12-04 | not yet calculated | CVE-2025-40242 | https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641 https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40 https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn’t clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the “garbage”, then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap’s read operation could not fill the whole allocated memory and “garbage” in the not initialized memory will be the reason of volume coruptions and file system driver bugs. | 2025-12-04 | not yet calculated | CVE-2025-40243 | https://git.kernel.org/stable/c/fc56548fca732f3d3692c83b40db796259a03887 https://git.kernel.org/stable/c/bf1683078fbdd09a7f7f9b74121ebaa03432bd00 https://git.kernel.org/stable/c/2a112cdd66f5a132da5235ca31a320528c86bf33 https://git.kernel.org/stable/c/e148ed5cda8fd96d4620c4622fb02f552a2d166a https://git.kernel.org/stable/c/cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca https://git.kernel.org/stable/c/3b447fd401824e1ccf0b769188edefe866a1e676 https://git.kernel.org/stable/c/502fa92a71f344611101bd04ef1a595b8b6014f5 https://git.kernel.org/stable/c/2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic – not syncing: kmsan.panic set … [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] <TASK> [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 … kernel :[ 70.213284][ T9350] Kernel panic – not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set … [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 —truncated— | 2025-12-04 | not yet calculated | CVE-2025-40244 | https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71 https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598 https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899 https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic – not syncing: Oops [ 76.900000] —[ end Kernel panic – not syncing: Oops ]— This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture. | 2025-12-04 | not yet calculated | CVE-2025-40245 | https://git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3 https://git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2 https://git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975 https://git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997 https://git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2c https://git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix out of bounds memory read error in symlink repair xfs/286 produced this report on my test fleet: ================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): memcpy_orig+0x54/0x110 xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] xrep_symlink_salvage+0x100/0x110 [xfs] xrep_symlink+0x2e/0x80 [xfs] xrep_attempt+0x61/0x1f0 [xfs] xfs_scrub_metadata+0x34f/0x5c0 [xfs] xfs_ioc_scrubv_metadata+0x387/0x560 [xfs] xfs_file_ioctl+0xe23/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128 allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago): xfs_init_local_fork+0x79/0xe0 [xfs] xfs_iformat_local+0xa4/0x170 [xfs] xfs_iformat_data_fork+0x148/0x180 [xfs] xfs_inode_from_disk+0x2cd/0x480 [xfs] xfs_iget+0x450/0xd60 [xfs] xfs_bulkstat_one_int+0x6b/0x510 [xfs] xfs_bulkstat_iwalk+0x1e/0x30 [xfs] xfs_iwalk_ag_recs+0xdf/0x150 [xfs] xfs_iwalk_run_callbacks+0xb9/0x190 [xfs] xfs_iwalk_ag+0x1dc/0x2f0 [xfs] xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs] xfs_iwalk+0xa4/0xd0 [xfs] xfs_bulkstat+0xfa/0x170 [xfs] xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs] xfs_file_ioctl+0xbf2/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014 ================================================================== On further analysis, I realized that the second parameter to min() is not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data buffer. if_bytes can be smaller than the data fork size because: (a) the forkoff code tries to keep the data area as large as possible (b) for symbolic links, if_bytes is the ondisk file size + 1 (c) forkoff is always a multiple of 8. Case in point: for a single-byte symlink target, forkoff will be 8 but the buffer will only be 2 bytes long. In other words, the logic here is wrong and we walk off the end of the incore buffer. Fix that. | 2025-12-04 | not yet calculated | CVE-2025-40246 | https://git.kernel.org/stable/c/7c2d68e091584149fe89bcbaf9b99b3162d46ee7 https://git.kernel.org/stable/c/81a8685cac4bf081c93a7df591644f4f80240bb9 https://git.kernel.org/stable/c/678e1cc2f482e0985a0613ab4a5bf89c497e5acc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix pgtable prealloc error path The following splat was reported: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT) pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=–) pc : build_detached_freelist+0x28/0x224 lr : kmem_cache_free_bulk.part.0+0x38/0x244 sp : ffff000a508c7a20 x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350 x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000 x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000 x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8 x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640 x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30 x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940 x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000 x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8 x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00 Call trace: build_detached_freelist+0x28/0x224 (P) kmem_cache_free_bulk.part.0+0x38/0x244 kmem_cache_free_bulk+0x10/0x1c msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0 msm_vma_job_free+0x30/0x240 msm_ioctl_vm_bind+0x1d0/0x9a0 drm_ioctl_kernel+0x84/0x104 drm_ioctl+0x358/0x4d4 __arm64_sys_ioctl+0x8c/0xe0 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x3c/0xe0 do_el0_svc+0x18/0x20 el0_svc+0x30/0x100 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x170/0x174 Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6) —[ end trace 0000000000000000 ]— Since msm_vma_job_free() is called directly from the ioctl, this looks like an error path cleanup issue. Which I think results from prealloc_cleanup() called without a preceding successful prealloc_allocate() call. So handle that case better. Patchwork: https://patchwork.freedesktop.org/patch/678677/ | 2025-12-04 | not yet calculated | CVE-2025-40247 | https://git.kernel.org/stable/c/b865da18b6cb878f33b5920693d03f23b9c4d1a3 https://git.kernel.org/stable/c/830d68f2cb8ab6fb798bb9555016709a9e012af0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket’s state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap’s assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don’t linger, can’t be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ | 2025-12-04 | not yet calculated | CVE-2025-40248 | https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680 https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559 https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81 https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5 https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: make sure the cdev fd is still active before emitting events With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It’s possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier. Using the regular get_file() routine in this situation triggers the following warning: struct file::f_count incremented from zero; use-after-free condition present! So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released. | 2025-12-04 | not yet calculated | CVE-2025-40249 | https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1 https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation’s associated glue object. Note: This error is observed when both fwctl and rds configs are enabled. [1] mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI RIP: 0010:free_irq_cpu_rmap+0x23/0x7d Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 —truncated— | 2025-12-04 | not yet calculated | CVE-2025-40250 | https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0 https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977 https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to “Unset parent for all rate objects”. However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent’s refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function’s documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2025-12-04 | not yet calculated | CVE-2025-40251 | https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2 https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8 https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3 https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in ‘qede_tpa_cont()’ and ‘qede_tpa_end()’, iterate over ‘cqe->len_list[]’ using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-04 | not yet calculated | CVE-2025-40252 | https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0 https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24 https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfree The function ‘mpc_rcvd_sweep_req(mpcginfo)’ is called conditionally from function ‘ctcmpc_unpack_skb’. It frees passed mpcginfo. After that a call to function ‘kfree’ in function ‘ctcmpc_unpack_skb’ frees it again. Remove ‘kfree’ call in function ‘mpc_rcvd_sweep_req(mpcginfo)’. Bug detected by the clang static analyzer. | 2025-12-04 | not yet calculated | CVE-2025-40253 | https://git.kernel.org/stable/c/06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2 https://git.kernel.org/stable/c/6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a https://git.kernel.org/stable/c/7616e2eee679746d526c7f5befd4eedb995935b5 https://git.kernel.org/stable/c/43096dab8cc60fc39133205fd149a54d3acebea8 https://git.kernel.org/stable/c/3b177b2ded563df16f6d5920671ffcfe5915d472 https://git.kernel.org/stable/c/b9dbfb1b5699f9f1e4991f96741bdf9047147589 https://git.kernel.org/stable/c/7ff76f8dc6b550f8d16487bf3cebc278be720b5c https://git.kernel.org/stable/c/da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(…)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(…)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the ‘masked’ flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the ‘is_mask’ that says that the value we’re parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn’t allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn’t have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let’s just remove it altogether. It’s better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases. | 2025-12-04 | not yet calculated | CVE-2025-40254 | https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7 https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9 https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99 https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987 https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475 https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3 https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower() results in generic_hwtstamp_ioctl_lower() being called with kernel_cfg->ifr as NULL. The generic_hwtstamp_ioctl_lower() function does not expect a NULL ifr and dereferences it, leading to a system crash. Fix this by adding a NULL check for kernel_cfg->ifr in generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL. | 2025-12-04 | not yet calculated | CVE-2025-40255 | https://git.kernel.org/stable/c/8817f816ae41908e9625c0770c4af0dcdcc01238 https://git.kernel.org/stable/c/f796a8dec9beafcc0f6f0d3478ed685a15c5e062 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (“xfrm: delete x->tunnel as we delete x”), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn’t go through __xfrm_state_delete, so we don’t call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A “proper” rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). | 2025-12-04 | not yet calculated | CVE-2025-40256 | https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715 https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object m —truncated— | 2025-12-04 | not yet calculated | CVE-2025-40257 | https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17 https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12 https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7 https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2 https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(…)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(…)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 | 2025-12-04 | not yet calculated | CVE-2025-40258 | https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5 https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18 https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309 https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Do not sleep in atomic context sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. | 2025-12-04 | not yet calculated | CVE-2025-40259 | https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b https://git.kernel.org/stable/c/db6ac8703ab2b473e1ec845f57f6dd961a388d9f https://git.kernel.org/stable/c/109afbd88ecc46b6cc7551367222387e97999765 https://git.kernel.org/stable/c/3dfd520c3b4ffe69e0630c580717d40447ab842f https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5 https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix scx_enable() crash on helper kthread creation failure A crash was observed when the sched_ext selftests runner was terminated with Ctrl+ while test 15 was running: NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 Call Trace: scx_enable.constprop.0+0x32c/0x12b0 (unreliable) bpf_struct_ops_link_create+0x18c/0x22c __sys_bpf+0x23f8/0x3044 sys_bpf+0x2c/0x6c system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec kthread_run_worker() returns an ERR_PTR() on failure rather than NULL, but the current code in scx_alloc_and_add_sched() only checks for a NULL helper. Incase of failure on SIGQUIT, the error is not handled in scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an error pointer. Error handling is fixed in scx_alloc_and_add_sched() to propagate PTR_ERR() into ret, so that scx_enable() jumps to the existing error path, avoiding random dereference on failure. | 2025-12-04 | not yet calculated | CVE-2025-40260 | https://git.kernel.org/stable/c/625e173e2a59b6cf6cbfb51c0a6bea47f3861eab https://git.kernel.org/stable/c/7b6216baae751369195fa3c83d434d23bcda406a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ————[ cut here ]———— [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK> | 2025-12-04 | not yet calculated | CVE-2025-40261 | https://git.kernel.org/stable/c/3d78e8e01251da032a5f7cbc9728e4ab1a5a5464 https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d https://git.kernel.org/stable/c/3d81beae4753db3b3dc5b70dc300d4036e0d9cb8 https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167 https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: imx_sc_key – fix memory corruption on unload This is supposed to be “priv” but we accidentally pass “&priv” which is an address in the stack and so it will lead to memory corruption when the imx_sc_key_action() function is called. Remove the &. | 2025-12-04 | not yet calculated | CVE-2025-40262 | https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2 https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3 https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2 https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336 https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb – fix an invalid memory access If cros_ec_keyb_register_matrix() isn’t called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case. Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 … x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread It’s still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn’t access `ckdev->idev` and friends if the driver doesn’t intend to initialize them. | 2025-12-04 | not yet calculated | CVE-2025-40263 | https://git.kernel.org/stable/c/7bfd959187f2c7584bb43280bbc7b2846e7a5085 https://git.kernel.org/stable/c/8b5ae1521660c16fa830ff17d16e650b4905b71a https://git.kernel.org/stable/c/729d21c82c1b0504ffccb17cc261bf32e024fd0f https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7 https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39 https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb (“be2net: fix a Tx stall bug caused by a specific ipv6 packet”) states. The correct way would be to pass the wrb_params from be_xmit(). | 2025-12-04 | not yet calculated | CVE-2025-40264 | https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405 https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284 https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388 https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89 https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vfat: fix missing sb_min_blocksize() return value checks When emulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, but without format, a kernel panic was triggered during the early boot stage while attempting to mount a vfat filesystem. [95553.682035] EXT4-fs (nvme0n1): unable to set blocksize [95553.684326] EXT4-fs (nvme0n1): unable to set blocksize [95553.686501] EXT4-fs (nvme0n1): unable to set blocksize [95553.696448] ISOFS: unsupported/invalid hardware sector size 8192 [95553.697117] ————[ cut here ]———— [95553.697567] kernel BUG at fs/buffer.c:1582! [95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI [95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary) [95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0 [95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f [95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246 [95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001 [95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000 [95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000 [95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000 [95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000 [95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0 [95553.708439] PKRU: 55555554 [95553.708734] Call Trace: [95553.709015] <TASK> [95553.709266] __getblk_slow+0xd2/0x230 [95553.709641] ? find_get_block_common+0x8b/0x530 [95553.710084] bdev_getblk+0x77/0xa0 [95553.710449] __bread_gfp+0x22/0x140 [95553.710810] fat_fill_super+0x23a/0xfc0 [95553.711216] ? __pfx_setup+0x10/0x10 [95553.711580] ? __pfx_vfat_fill_super+0x10/0x10 [95553.712014] vfat_fill_super+0x15/0x30 [95553.712401] get_tree_bdev_flags+0x141/0x1e0 [95553.712817] get_tree_bdev+0x10/0x20 [95553.713177] vfat_get_tree+0x15/0x20 [95553.713550] vfs_get_tree+0x2a/0x100 [95553.713910] vfs_cmd_create+0x62/0xf0 [95553.714273] __do_sys_fsconfig+0x4e7/0x660 [95553.714669] __x64_sys_fsconfig+0x20/0x40 [95553.715062] x64_sys_call+0x21ee/0x26a0 [95553.715453] do_syscall_64+0x80/0x670 [95553.715816] ? __fs_parse+0x65/0x1e0 [95553.716172] ? fat_parse_param+0x103/0x4b0 [95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0 [95553.717034] ? __do_sys_fsconfig+0x3d9/0x660 [95553.717548] ? __x64_sys_fsconfig+0x20/0x40 [95553.717957] ? x64_sys_call+0x21ee/0x26a0 [95553.718360] ? do_syscall_64+0xb8/0x670 [95553.718734] ? __x64_sys_fsconfig+0x20/0x40 [95553.719141] ? x64_sys_call+0x21ee/0x26a0 [95553.719545] ? do_syscall_64+0xb8/0x670 [95553.719922] ? x64_sys_call+0x1405/0x26a0 [95553.720317] ? do_syscall_64+0xb8/0x670 [95553.720702] ? __x64_sys_close+0x3e/0x90 [95553.721080] ? x64_sys_call+0x1b5e/0x26a0 [95553.721478] ? do_syscall_64+0xb8/0x670 [95553.721841] ? irqentry_exit+0x43/0x50 [95553.722211] ? exc_page_fault+0x90/0x1b0 [95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e [95553.723166] RIP: 0033:0x72ee774f3afe [95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48 [95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af [95553.725892] RAX: ffffffffffffffda RBX: —truncated— | 2025-12-04 | not yet calculated | CVE-2025-40265 | https://git.kernel.org/stable/c/ee767b99b0045be286cceb8265bd4c9831be671e https://git.kernel.org/stable/c/63b5aa01da0f38cdbd97d021477258e511631497 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX – sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. | 2025-12-04 | not yet calculated | CVE-2025-40266 | https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041 https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051 https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3 https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation. | 2025-12-06 | not yet calculated | CVE-2025-40267 | https://git.kernel.org/stable/c/094c6467fe05e0de618c5a7fcff4d3ee20aeaef8 https://git.kernel.org/stable/c/d3c9c213c0b86ac5dd8fe2c53c24db20f1f510bc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 | 2025-12-06 | not yet calculated | CVE-2025-40268 | https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it’s always equal or greater than ep->packsize[0]. | 2025-12-06 | not yet calculated | CVE-2025-40269 | https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7 https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9 https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0 https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6 https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (“mm, swap: avoid redundant swap device pinning”), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn’t needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry’s swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It’s not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. | 2025-12-06 | not yet calculated | CVE-2025-40270 | https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ————————————————————————- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / NULL pde(tun2) | 2025-12-06 | not yet calculated | CVE-2025-40271 | https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491 https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50 https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369 https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774 https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046 https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8 https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110 https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. | 2025-12-06 | not yet calculated | CVE-2025-40272 | https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785 https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367 https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047 https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent’s stateid is being close/freed or in nfsd4_laundromat if the stateid hasn’t been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops – BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs | 2025-12-06 | not yet calculated | CVE-2025-40273 | https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4 https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088 https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7 https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 </TASK> Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don’t acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there’s no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual —truncated— | 2025-12-06 | not yet calculated | CVE-2025-40274 | https://git.kernel.org/stable/c/a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b https://git.kernel.org/stable/c/393893693a523e053f84d69320d090b93503f79f https://git.kernel.org/stable/c/ae431059e75d36170a5ae6b44cc4d06d43613215 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor. | 2025-12-06 | not yet calculated | CVE-2025-40275 | https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063 https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0 https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don’t CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted. | 2025-12-06 | not yet calculated | CVE-2025-40276 | https://git.kernel.org/stable/c/7a12f9c96d06b145562f76ffb20369b4692f0911 https://git.kernel.org/stable/c/576c930e5e7dcb937648490611a83f1bf0171048 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. | 2025-12-06 | not yet calculated | CVE-2025-40277 | https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53 https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable ‘opt’ was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. | 2025-12-06 | not yet calculated | CVE-2025-40278 | https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1 https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable ‘opt’ was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. | 2025-12-06 | not yet calculated | CVE-2025-40279 | https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7 https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70 https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343 https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let’s hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ —truncated— | 2025-12-06 | not yet calculated | CVE-2025-40280 | https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88 https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901 https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19 https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77 https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373 https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type ‘unsigned int’ CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline] | 2025-12-06 | not yet calculated | CVE-2025-40281 | https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4 https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187 https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675 https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8 https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw – Success) —— kernel BUG at net/core/skbuff.c:212! Call Trace: <IRQ> … packet_rcv (net/packet/af_packet.c:2152) … <TASK> __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) —— | 2025-12-06 | not yet calculated | CVE-2025-40282 | https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818 https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62 https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237 https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling “usb_driver_release_interface(&btusb_driver, data->intf)” will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free’d. | 2025-12-06 | not yet calculated | CVE-2025-40283 | https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8 https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8 https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in “Mesh – Send cancel – 1” test). Log: —— BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 … Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 —— | 2025-12-06 | not yet calculated | CVE-2025-40284 | https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76 https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). | 2025-12-06 | not yet calculated | CVE-2025-40285 | https://git.kernel.org/stable/c/6fc935f798d44a8eb8a5e6659198399fbf57b981 https://git.kernel.org/stable/c/e671f9bb97805771380c98de944e2ceab6949188 https://git.kernel.org/stable/c/dcc51dfe6ff26b52cac106865a172ac982d78401 https://git.kernel.org/stable/c/d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d https://git.kernel.org/stable/c/379510a815cb2e64eb0a379cb62295d6ade65df0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). | 2025-12-06 | not yet calculated | CVE-2025-40286 | https://git.kernel.org/stable/c/0797c6cf3b857cc229ab2bc69552938dcd738d78 https://git.kernel.org/stable/c/63d8706a2c09a0c29b8b0e8a44bc7a1339685de9 https://git.kernel.org/stable/c/f1305587731886da37a214cda812ade246c653b0 https://git.kernel.org/stable/c/bfda5422a16651d0bf864ec468b1c216e1b10d91 https://git.kernel.org/stable/c/6fced056d2cc8d01b326e6fcfabaacb9850b71a4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls – SYS_openat, SYS_ftruncate, and SYS_pwrite64 – can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability. | 2025-12-06 | not yet calculated | CVE-2025-40287 | https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs-since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately-skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: – Works for all scenarios where the VRAM manager is uninitialized (not just APUs), – Aligns with TTM’s design by using its native helper function, – Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian) | 2025-12-06 | not yet calculated | CVE-2025-40288 | https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. | 2025-12-06 | not yet calculated | CVE-2025-40289 | https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1 https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0 https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82 |
| loadedcommerce–Loaded Commerce | Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter. | 2025-12-04 | not yet calculated | CVE-2025-66572 | ExploitDB-52084 Loaded Commerce Homepage https://www.vulncheck.com/advisories/loaded-commerce-66-client-side-template-injectioncsti |
| Lookyloo–lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66458 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87 https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290 |
| Lookyloo–lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66459 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1 https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116 https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442 |
| Lookyloo–lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66460 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3 https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e |
| Mautic–Mautic | Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-13827 | https://github.com/mautic/mautic/security/advisories/GHSA-5xw2-57jx-pgjp |
| Mautic–Mautic | SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges. | 2025-12-02 | not yet calculated | CVE-2025-13828 | https://github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x |
| mayurik–dawa-pharma | dawa-pharma-1.0 allows unauthenticated attackers to execute SQL queries on the server, allowing them to access sensitive information and potentially gain administrative access. | 2025-12-04 | not yet calculated | CVE-2023-53734 | ExploitDB-51818 Mayuri K Pharmacy Billing Software GitHub Repository for CVE-nu11secur1ty nu11secur1ty Home Page https://www.vulncheck.com/advisories/dawa-pharma-10-sql-injection-via-email-parameter |
| mborgerding/kissfft–mborgerding/kissfft | KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated before being used in a size calculation (sizeof(kiss_fft_cpx) * (nfft – 1)), which can wrap to a small value when nfft is large. As a result, malloc() allocates an undersized buffer and the subsequent twiddle-factor initialization loop writes nfft elements, causing a heap buffer overflow. This vulnerability only affects 32-bit architectures. | 2025-12-01 | not yet calculated | CVE-2025-34297 | https://github.com/mborgerding/kissfft/commit/1b08316582049c3716154caefc0deab8758506e3 https://github.com/mborgerding/kissfft/issues/120 https://www.vulncheck.com/advisories/kissfft-integer-overflow-heap-buffer-overflow |
| MediaTek, Inc.–MT2718, MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6897, MT6899, MT6980D, MT6983, MT6985, MT6989, MT6990, MT6991, MT8113, MT8115, MT8139, MT8163, MT8168, MT8169, MT8183, MT8186, MT8188, MT8512, MT8516, MT8518, MT8519, MT8532, MT8676, MT8678, MT8695, MT8696, MT8698 | In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833. | 2025-12-02 | not yet calculated | CVE-2025-20765 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4820. | 2025-12-02 | not yet calculated | CVE-2025-20766 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4807. | 2025-12-02 | not yet calculated | CVE-2025-20767 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4804. | 2025-12-02 | not yet calculated | CVE-2025-20769 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4803. | 2025-12-02 | not yet calculated | CVE-2025-20770 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4802. | 2025-12-02 | not yet calculated | CVE-2025-20771 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4801. | 2025-12-02 | not yet calculated | CVE-2025-20772 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797. | 2025-12-02 | not yet calculated | CVE-2025-20773 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4796. | 2025-12-02 | not yet calculated | CVE-2025-20774 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689251; Issue ID: MSV-4840. | 2025-12-02 | not yet calculated | CVE-2025-20754 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647. | 2025-12-02 | not yet calculated | CVE-2025-20758 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8676, MT8791T | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01270690; Issue ID: MSV-4301. | 2025-12-02 | not yet calculated | CVE-2025-20752 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673760; Issue ID: MSV-4650. | 2025-12-02 | not yet calculated | CVE-2025-20759 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689252; Issue ID: MSV-4841. | 2025-12-02 | not yet calculated | CVE-2025-20753 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643. | 2025-12-02 | not yet calculated | CVE-2025-20756 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661199; Issue ID: MSV-4296. | 2025-12-02 | not yet calculated | CVE-2025-20750 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661195; Issue ID: MSV-4297. | 2025-12-02 | not yet calculated | CVE-2025-20751 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible application crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00628396; Issue ID: MSV-4775. | 2025-12-02 | not yet calculated | CVE-2025-20755 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673751; Issue ID: MSV-4644. | 2025-12-02 | not yet calculated | CVE-2025-20757 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01677581; Issue ID: MSV-4701. | 2025-12-02 | not yet calculated | CVE-2025-20790 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661189; Issue ID: MSV-4298. | 2025-12-02 | not yet calculated | CVE-2025-20791 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791T | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01717526; Issue ID: MSV-5591. | 2025-12-02 | not yet calculated | CVE-2025-20792 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4805. | 2025-12-02 | not yet calculated | CVE-2025-20768 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795. | 2025-12-02 | not yet calculated | CVE-2025-20775 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184297; Issue ID: MSV-4759. | 2025-12-02 | not yet calculated | CVE-2025-20776 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4752. | 2025-12-02 | not yet calculated | CVE-2025-20777 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In smi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10259774; Issue ID: MSV-5029. | 2025-12-02 | not yet calculated | CVE-2025-20764 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6781, MT6833, MT6853, MT6877, MT6893, MT8196 | In GPU pdma, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117741; Issue ID: MSV-4538. | 2025-12-02 | not yet calculated | CVE-2025-20789 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In mmdvfs, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267218; Issue ID: MSV-5032. | 2025-12-02 | not yet calculated | CVE-2025-20763 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.–MT6991, MT8196 | In GPU pdma, there is a possible memory corruption due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117735; Issue ID: MSV-4539. | 2025-12-02 | not yet calculated | CVE-2025-20788 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| mersive–Solstice Pod API Session Key Extraction via API Endpoint | Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication. | 2025-12-04 | not yet calculated | CVE-2025-66573 | ExploitDB-52104 Mersive Homepage Solstice Documentation https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint |
| modelcontextprotocol–python-sdk | The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.23.0. | 2025-12-02 | not yet calculated | CVE-2025-66416 | https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99 |
| modelcontextprotocol–typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0. | 2025-12-02 | not yet calculated | CVE-2025-66414 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed |
| monkeytypegame–monkeytype | Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they’re inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags). | 2025-12-04 | not yet calculated | CVE-2025-66563 | https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27 https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695 |
| mozilla–rhino | Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1. | 2025-12-03 | not yet calculated | CVE-2025-66453 | https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x |
| n/a– Aquarius HelperTool (1.0.003) privileged XPC service on macOS | The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client’s identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. | 2025-12-03 | not yet calculated | CVE-2025-65842 | https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/ |
| n/a–Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 | Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt. | 2025-12-03 | not yet calculated | CVE-2025-65320 | https://github.com/Smarttfoxx/CVE-2025– https://packetstorm.news/files/id/212149 |
| n/a–Akamai Ghost on Akamai CDN edge servers before 2025-11-17 | Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain circumstances, Akamai Ghost erroneously forwards the invalid request and subsequent superfluous bytes to the origin server. An attacker could hide a smuggled request in these superfluous bytes. Whether this is exploitable depends on the origin server’s behavior and how it processes the invalid request it receives from Akamai Ghost. | 2025-12-04 | not yet calculated | CVE-2025-66373 | https://en.wikipedia.org/wiki/HTTP_request_smuggling https://www.akamai.com/blog/security/cve-2025-66373-http-request-smuggling-chunked-body-size |
| n/a–alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation. | 2025-12-03 | not yet calculated | CVE-2025-65345 | https://github.com/alexusmai/laravel-file-manager https://github.com/tlekrean/CVE-2025-65345 |
| n/a–alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths. | 2025-12-04 | not yet calculated | CVE-2025-65346 | https://github.com/alexusmai/laravel-file-manager https://github.com/Theethat-Thamwasin/CVE-2025-65346 |
| n/a–Alinto Sogo 5.12.3 | Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | 2025-12-04 | not yet calculated | CVE-2025-63499 | https://github.com/poblaguev-tot/CVE-2025-63499 https://email.example.com/SOGo/so/victim@example.com/Mail/view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E |
| n/a–ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | 2025-12-04 | not yet calculated | CVE-2025-29268 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a–ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. | 2025-12-04 | not yet calculated | CVE-2025-29269 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a–ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | 2025-12-04 | not yet calculated | CVE-2025-57210 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/4411663241fa3bbba628d3044dc50451 |
| n/a–ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57212 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/85730f2317cfac2796fe5e23da3ae399 |
| n/a–Aquarius Desktop 3.0.069 | Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed. | 2025-12-03 | not yet calculated | CVE-2025-65843 | https://almightysec.com/insecure-file-handling-via-symlink/ |
| n/a–Aquarius Desktop 3.0.069 for macOS | Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is “encrypted” through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim’s Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | 2025-12-03 | not yet calculated | CVE-2025-65841 | http://acustica.com http://aquarius.com https://almightysec.com/account-takeover-via-weak-encryption/ |
| n/a–Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18 | Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication. | 2025-12-05 | not yet calculated | CVE-2025-65730 | https://github.com/pommee/goaway/releases/tag/v0.62.16 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L15 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L110 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L69 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/auth.go#L48 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L88 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L40 https://github.com/pommee/goaway/commit/5769f8782b7453ca1c22a201b224b5ce48532f64#diff-4ddfd6cf1311ddfd45734bb1dc53bc208df69584ba92ac4f38866bd558434678L15-L40 https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730 |
| n/a–AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57198 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57198 |
| n/a–AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57199 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57199 |
| n/a–AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57200 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57200 |
| n/a–AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57201 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57201 |
| n/a–AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field. | 2025-12-03 | not yet calculated | CVE-2025-57202 | http://avtech.com http://dmg1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57202 |
| n/a–Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 | An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device. | 2025-12-04 | not yet calculated | CVE-2025-63896 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE/blob/main/README.md |
| n/a–Calibre-Web v0.6.25 | A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the ‘username’ field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. | 2025-12-02 | not yet calculated | CVE-2025-65858 | https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md |
| n/a–CiviCRM before v6.7 | A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. | 2025-12-02 | not yet calculated | CVE-2025-65187 | https://civicrm.com/ https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf |
| n/a–code-projects Online Medicine Guide 1.0 | code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter. | 2025-12-02 | not yet calculated | CVE-2025-60736 | https://github.com/WinDyAlphA/CVE-2025-60736 |
| n/a–ComposioHQ v.0.7.20 | Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function. | 2025-12-04 | not yet calculated | CVE-2025-56427 | https://github.com/ComposioHQ/composio/blob/master/python/composio/server/api.py#L278 https://github.com/TOAST-Research/pocs/blob/main/composio/composio_1.md |
| n/a–D-Link R15 (AX1500) 1.20.01 | A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd. | 2025-12-02 | not yet calculated | CVE-2025-60854 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473 |
| n/a–dcat-admin v2.2.3-beta and before | dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. | 2025-12-02 | not yet calculated | CVE-2025-65656 | https://github.com/jqhph/dcat-admin https://github.com/lznlol/operation-log/blob/main/CVE-2025-65656.md |
| n/a–DeepSeek V3.2 | DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. | 2025-12-02 | not yet calculated | CVE-2025-63872 | https://medium.com/@vinitkundu14/cve-2025-63872-svg-based-xss-in-deepseek-chat-v3-2-db4ebc1f1f28 |
| n/a–E-POINT CMS eagle.gsam-1169.1 | The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets. | 2025-12-04 | not yet calculated | CVE-2025-65806 | https://www.e-point.pl/produkty/e-point-cms https://github.com/Bidon47/CVE-2025-65806/blob/main/CVE-2025-65806.md |
| n/a–Edoc-doctor-appointment-system v1.0.1 | Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the ‘docid’ parameter at /admin/appointment.php. | 2025-12-02 | not yet calculated | CVE-2025-65358 | https://github.com/HashenUdara/edoc-doctor-appointment-system https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-65358 |
| n/a–EduplusCampus 3.0.1 | An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the ‘rec_no’ parameter in the /student/get-receipt endpoint. | 2025-12-04 | not yet calculated | CVE-2025-61148 | https://drive.google.com/file/d/1BRZRurbl7TY6KU4uaelAUn7L9Cn6XfjC/view?usp=sharing https://medium.com/@Charon19d/how-i-hacked-all-universities-in-my-city-d6b8e320455c https://github.com/sharma19d/CVE-2025-61148 |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing the tamper label and opening the chassis without leaving evidence, and accessing the JTAG connector. This is called F02. | 2025-12-02 | not yet calculated | CVE-2025-59693 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to persistently modify firmware and influence the (insecurely configured) appliance boot process. To exploit this, the attacker must modify the firmware via JTAG or perform an upgrade to the chassis management board firmware. This is called F03. | 2025-12-02 | not yet calculated | CVE-2025-59694 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04. | 2025-12-02 | not yet calculated | CVE-2025-59695 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board. | 2025-12-02 | not yet calculated | CVE-2025-59696 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host OS. This is called F06. | 2025-12-02 | not yet calculated | CVE-2025-59697 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59698 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59699 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection). | 2025-12-02 | not yet calculated | CVE-2025-59700 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted). | 2025-12-02 | not yet calculated | CVE-2025-59701 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | 2025-12-02 | not yet calculated | CVE-2025-59702 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack. | 2025-12-02 | not yet calculated | CVE-2025-59703 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password. | 2025-12-02 | not yet calculated | CVE-2025-59704 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka “Unauthorized Reactivation of the USB interface” or F01. | 2025-12-02 | not yet calculated | CVE-2025-59705 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a–ERPNext v15.83.2 and Frappe Framework v15.86.0 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | 2025-12-03 | not yet calculated | CVE-2025-65267 | https://github.com/frappe/frappe https://github.com/frappe/erpnext https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 |
| n/a–EverShop 2.0.1 | EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space. | 2025-12-02 | not yet calculated | CVE-2025-65844 | https://github.com/evershopcommerce/evershop/issues/819 |
| n/a–Eximbills Enterprise 4.1.5 (Built on 2020-10-30) | Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers. | 2025-12-01 | not yet calculated | CVE-2025-64030 | https://chinasystems.com/whatwedo/ee https://0xy37.medium.com/stored-xss-in-chinasystems-eximbills-enterprise-v4-1-5-f8f5a79c4f0b |
| n/a–eyoucms v1.7.1 | XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request. | 2025-12-03 | not yet calculated | CVE-2025-65868 | https://github.com/weng-xianhu/eyoucms/issues/66 |
| n/a–Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2025-64052 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64052.md |
| n/a–Fanvil x210 V2 2.12.20 | A Buffer overflow vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64053 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64053.md |
| n/a–Fanvil x210 V2 2.12.20 | A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64054 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md |
| n/a–Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot…) via a crafted authentication bypass. | 2025-12-03 | not yet calculated | CVE-2025-64055 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md |
| n/a–Fanvil x210 V2 2.12.20 | File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem. | 2025-12-05 | not yet calculated | CVE-2025-64056 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64056.md |
| n/a–Fanvil x210 V2 2.12.20 | Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts. | 2025-12-05 | not yet calculated | CVE-2025-64057 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64057.md |
| n/a–FeehiCMS 2.1.1 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | 2025-12-01 | not yet calculated | CVE-2025-63520 | https://github.com/liufee/cms/issues/74 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63520.md |
| n/a–FeehiCMS 2.1.1 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | 2025-12-01 | not yet calculated | CVE-2025-63522 | https://github.com/liufee/cms/issues/76 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63522.md |
| n/a–FeehiCMS 2.1.1 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as “read-only.” An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes. | 2025-12-01 | not yet calculated | CVE-2025-63523 | https://github.com/liufee/cms/issues/77 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md |
| n/a–FeehiCMS version 2.1.1 | FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE). | 2025-12-02 | not yet calculated | CVE-2025-65657 | https://github.com/liufee/cms/issues/78 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-65657.md |
| n/a–Genexis Platinum P4410 router (Firmware P4410-V2-1.41) | A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2-1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router’s diagnostic endpoint, resulting in command execution as root. | 2025-12-04 | not yet calculated | CVE-2025-65883 | https://0xw41th.medium.com/my-first-cve-cve-2025-65883-remote-code-execution-in-a-genexis-router-0c35749a99bd |
| n/a–github.com/sirupsen/logrus when using Entry.Writer() | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with “token too long” and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged. | 2025-12-04 | not yet calculated | CVE-2025-65637 | https://github.com/mjuanxd/logrus-dos-poc https://github.com/sirupsen/logrus/issues/1370 https://github.com/sirupsen/logrus/pull/1376 https://github.com/sirupsen/logrus/releases/tag/v1.8.3 https://github.com/sirupsen/logrus/releases/tag/v1.9.1 https://github.com/sirupsen/logrus/releases/tag/v1.9.3 https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391 https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md |
| n/a–Grav CMS 1.7.49 | Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface. | 2025-12-02 | not yet calculated | CVE-2025-65186 | https://github.com/getgrav/grav https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf |
| n/a–HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | 2025-12-03 | not yet calculated | CVE-2025-63401 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyQn/x0oUOgfHG6F0wUhpmSMcmXMuwO2GYuSf_duzWPRebao |
| n/a–HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests | 2025-12-03 | not yet calculated | CVE-2025-63402 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyVd/ckzaFpdm68dwd1nWqgtLfXHp3Pim_YwLUI4WcRB__Ng |
| n/a–InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS | A local privilege escalation vulnerability exists in the InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS. The service accepts unauthenticated XPC connections and executes input via system(), which may allow a local user to execute arbitrary commands with root privileges. | 2025-12-03 | not yet calculated | CVE-2025-55076 | https://almightysec.com/plugin-alliance-helpertool-xpc-service-local-privilege-escalation/ |
| n/a–Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system. | 2025-12-04 | not yet calculated | CVE-2025-65899 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65899/blob/main/README.md |
| n/a–Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users. | 2025-12-04 | not yet calculated | CVE-2025-65900 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65900/blob/main/README.md |
| n/a–KerOS prior 5.12 | The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall. | 2025-12-01 | not yet calculated | CVE-2024-39148 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148 |
| n/a–LightFTP v2.0 | A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-65403 | https://shimo.im/docs/9030JMJpv4IM4Nkw https://github.com/hfiref0x/LightFTP |
| n/a–Live555 Streaming Media v2018.09.02 | A buffer overflow in the getSideInfo2() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via a crafted MP3 stream. | 2025-12-01 | not yet calculated | CVE-2025-65404 | https://shimo.im/docs/16q8xMxpPlH8Z2q7 https://github.com/rgaufman/live555 |
| n/a–Live555 Streaming Media v2018.09.02 | A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file. | 2025-12-01 | not yet calculated | CVE-2025-65405 | https://github.com/rgaufman/live555 https://shimo.im/docs/25q5XMXpOwSr8w3D |
| n/a–Live555 Streaming Media v2018.09.02 | A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file. | 2025-12-01 | not yet calculated | CVE-2025-65406 | https://github.com/rgaufman/live555 https://shimo.im/docs/1lq7rMrp8lI1vW3e |
| n/a–Live555 Streaming Media v2018.09.02 | A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream. | 2025-12-01 | not yet calculated | CVE-2025-65407 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLpzZcZvoAg |
| n/a–Live555 Streaming Media v2018.09.02 | A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file. | 2025-12-01 | not yet calculated | CVE-2025-65408 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLp57SJ92Ag |
| n/a–long2ice assyncmy thru 0.2.10 | SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys. | 2025-12-02 | not yet calculated | CVE-2025-65896 | https://github.com/long2ice/asyncmy https://github.com/long2ice/asyncmy/issues/134 |
| n/a–Lvzhou CMS | Lvzhou CMS before commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) is vulnerable to SQL injection via the ‘title’ parameter in com.wanli.lvzhoucms.service.ContentService#findPage. The parameter is concatenated directly into a dynamic SQL query without sanitization or prepared statements, enabling attackers to read sensitive data from the database. | 2025-12-02 | not yet calculated | CVE-2025-65877 | https://github.com/W000i/vuln/issues/1 |
| n/a–mJobtime v15.7.2 | mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly. | 2025-12-01 | not yet calculated | CVE-2025-51682 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a–mJobtime v15.7.2 | A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . | 2025-12-01 | not yet calculated | CVE-2025-51683 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a–open-webui v0.6.33 | open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | 2025-12-04 | not yet calculated | CVE-2025-63681 | https://github.com/open-webui/open-webui/blob/46ae3f4f5d7d4d706041bdae4ad2d802e568712b/backend/open_webui/main.py#L1652 https://github.com/TOAST-Research/pocs/blob/main/openwebui/arbitirary_task_stop/report.md |
| n/a–orderService.queryObject of platform v1.0.0 | Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57213 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/620e4e0cc0f23c903736971e6375f00e |
| n/a–Pepper language | A heap buffer overflow in compiler.c and compiler.h in Pepper language 0.1.1commit 961a5d9988c5986d563310275adad3fd181b2bb7. Malicious execution of a pepper source file(.pr) could lead to arbitrary code execution or Denial of Service. | 2025-12-03 | not yet calculated | CVE-2025-50360 | https://github.com/dannyvankooten/pepper-lang https://github.com/Ch1keen/CVE-2025-50360 |
| n/a–PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65379 | https://phpgurukul.com/billing-system-using-php-and-mysql/ https://github.com/dewcode91/security-research/blob/main/CVE-2025-65379.md |
| n/a–PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65380 | https://phpgurukul.com/billing-system-using-php-and-mysql https://github.com/dewcode91/security-research/blob/main/CVE-2025-65380.md |
| n/a–Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS | A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a local user may exploit the DYLD_INSERT_LIBRARIES environment variable to inject a dynamic library, potentially resulting in code execution with elevated privileges. | 2025-12-03 | not yet calculated | CVE-2025-62686 | https://almightysec.com/plugin-alliance-installationhelper-dylib-injection/ |
| n/a–PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65836 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/SSRF_1.md https://github.com/sanluan/PublicCMS/issues/99 |
| n/a–PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | 2025-12-01 | not yet calculated | CVE-2025-65838 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/RCE_1.md https://github.com/sanluan/PublicCMS/issues/101 |
| n/a–PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65840 | https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/CSRF_1.md https://github.com/sanluan/PublicCMS/issues/102 |
| n/a–Samsung Mobile Processor Exynos 1280 and 2200 | An issue was discovered in Camera in Samsung Mobile Processor Exynos 1280 and 2200. Unnecessary registration of a hardware IP address in the Camera device driver can lead to a NULL pointer dereference, resulting in a denial of service. | 2025-12-03 | not yet calculated | CVE-2025-54326 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54326/ |
| n/a–Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to decode the SOR transparent container lacks bounds checking, which can cause a fatal error. | 2025-12-03 | not yet calculated | CVE-2025-53965 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53965/ |
| n/a–Seafile Community Edition prior to version 13.0.12 | A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim’s browser. This issue has been fixed in Seafile Community Edition 13.0.12. | 2025-12-04 | not yet calculated | CVE-2025-65516 | https://manual.seafile.com/latest/changelog/server-changelog/ https://gist.github.com/x0root/e5597622fede55b320d29a248dce01e6 |
| n/a–Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism | 2025-12-01 | not yet calculated | CVE-2025-61228 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a–Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket’s SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2025-12-01 | not yet calculated | CVE-2025-61229 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a–Shirt Pocket SuperDuper! v3.10 | Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | 2025-12-01 | not yet calculated | CVE-2025-57489 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a–SmallBASIC with SDL Before v12_28 | Buffer Overflow was found in SmallBASIC community SmallBASIC with SDL Before v12_28, and commit sha:298a1d495355959db36451e90a0ac74bcc5593fe in the function main.cpp, which can lead to potential information leakage and crash. | 2025-12-03 | not yet calculated | CVE-2025-50361 | https://github.com/smallbasic/SmallBASIC https://github.com/Ch1keen/CVE-2025-50361 |
| n/a–Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator’s session, enabling privilege escalation. | 2025-12-01 | not yet calculated | CVE-2025-65621 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65621 |
| n/a–Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS via the Locations “Country” field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user’s session. | 2025-12-01 | not yet calculated | CVE-2025-65622 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65622 |
| n/a–SoftSea EPUB File Reader 1.0.0.0 | SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents. | 2025-12-01 | not yet calculated | CVE-2025-63365 | http://epub.com https://jeroscope.com/advisories/2025/jero-2025-001/ |
| n/a–Sourcecodester Student Grades Management System v1.0 | Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | 2025-12-02 | not yet calculated | CVE-2025-64070 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-64070 |
| n/a–Sourcecodester Web-based Pharmacy Product Management System v1.0 | Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | 2025-12-02 | not yet calculated | CVE-2025-65215 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-65215 |
| n/a–Sourcecodester Zoo Management System v1.0 | Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. | 2025-12-02 | not yet calculated | CVE-2025-65881 | https://gist.github.com/MMAKINGDOM/17b85a6e077f08134ee96850f162ed8f https://github.com/MMAKINGDOM/CVE-2025-65881/ |
| n/a–Technitium through v13.2.2 | An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack. | 2025-12-01 | not yet calculated | CVE-2024-56089 | https://technitium.com/dns/ https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-134 |
| n/a–Tempus Ex hello-video-codec v0.1.0 | Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-63095 | https://gist.github.com/thesmartshadow/b092e2493821491b981a069847a33064 https://github.com/tempus-ex/hello-video-codec https://github.com/tempus-ex/hello-video-codec/tree/3e9551c699311ea12ad7f2fce9562fbc990d524c https://github.com/tempus-ex/hello-video-codec/blob/3e9551c699311ea12ad7f2fce9562fbc990d524c/src/bitstream.rs |
| n/a–Terminalfour 8 through 8.4.1.1 | In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account’s password, effectively taking full control of it. | 2025-12-02 | not yet calculated | CVE-2025-58386 | https://terminalfour.com https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/ |
| n/a–Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-53963 | https://tools.thermofisher.cn/content/sfs/brochures/One_Touch_2_Spec_Sheet.pdf https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-54304 | https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://www.thermofisher.com/order/catalog/product/4474779 https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Thermo Fisher Torrent Suite Django application 5.18.1 | The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges. | 2025-12-04 | not yet calculated | CVE-2025-54303 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-54305 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server’s network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed. | 2025-12-04 | not yet calculated | CVE-2025-54306 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(d+).pdf endpoint. | 2025-12-04 | not yet calculated | CVE-2025-54307 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a–Todoist v8896 | Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment. | 2025-12-01 | not yet calculated | CVE-2025-63317 | https://github.com/sefabasnak/Todoistv8896 |
| n/a–Warehouse Management System v1.2 | The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server’s file system. This could lead to the leakage of sensitive system information. | 2025-12-05 | not yet calculated | CVE-2025-65878 | https://github.com/W000i/vuln/issues/2 |
| n/a–Warehouse Management System v1.2 | Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server’s UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads. | 2025-12-05 | not yet calculated | CVE-2025-65879 | https://github.com/W000i/vuln/issues/3 |
| n/a–Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63361 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-1/ |
| n/a–Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-63362 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-2/ |
| n/a–Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption. | 2025-12-04 | not yet calculated | CVE-2025-63363 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-3/ |
| n/a–Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to transmit Administrator credentials in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63364 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-4/ |
| n/a–yzcheng90 X-SpringBoot 6.0 | This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0’s implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests when frontend menu updates (such as privilege revocation) fail to propagate to the backend permission table in real-time, creating a dangerous desynchronization. While users lose access to restricted functions through the web interface (as UI elements properly disappear), the stale permission records still validate unauthorized API requests when accessed directly through tools like Postman. Attackers exploiting this inconsistency can perform privileged operations including but not limited to: creating high-permission user accounts, accessing sensitive data beyond their clearance level, and executing admin-level commands. | 2025-12-04 | not yet calculated | CVE-2025-55948 | https://github.com/yzcheng90/X-SpringBoot https://github.com/liuchengjie01/vuln_db/blob/master/x-springboot3x-vul/x-springboot3x-vul.md |
| n/a–zdh_web thru 5.6.17 | zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution. | 2025-12-05 | not yet calculated | CVE-2025-65897 | https://github.com/zhaoyachao/zdh_web https://github.com/zhaoyachao/zdh_web/pull/39 https://github.com/zhaoyachao/zdh_web/commit/b2423378a8bf83f159f19ce4e14eac71c939793a https://github.com/zhaoyachao/zdh_web/issues/40 |
| Nagvis–Nagvis version before 1.9.48 | User enumeration in Nagvis’ Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | 2025-12-03 | not yet calculated | CVE-2025-39665 | https://github.com/NagVis/nagvis/pull/411/commits/4acabcf9d5b2d26f390e760f59def8e163908d66 https://www.nagvis.org/downloads/changelog/1.9.48 |
| nopSolutions–nopCommerce | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability. | 2025-12-01 | not yet calculated | CVE-2025-11699 | https://seclists.org/fulldisclosure/2025/Aug/14 https://github.com/nopSolutions/nopCommerce/issues/7044 https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT |
| Obi08/Enrollment System–Obi08/Enrollment System | Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames and passwords. | 2025-12-04 | not yet calculated | CVE-2024-58276 | ExploitDB-51845 Official Product Homepage https://www.vulncheck.com/advisories/obi08-enrollment-system-10-loginphp-sql-injection |
| ObjectPlanet–Opinio | Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication. | 2025-12-02 | not yet calculated | CVE-2025-13871 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet–Opinio | Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination. | 2025-12-02 | not yet calculated | CVE-2025-13872 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet–Opinio | Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey. | 2025-12-02 | not yet calculated | CVE-2025-13873 | https://www.objectplanet.com/opinio/changelog.html |
| OpenSolution–QuickCMS | A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-02 | not yet calculated | CVE-2025-12465 | https://cert.pl/posts/2025/12/CVE-2025-12465/ |
| OpenVPN–OpenVPN | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | 2025-12-01 | not yet calculated | CVE-2025-12106 | https://community.openvpn.net/Security%20Announcements/CVE-2025-12106 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html |
| OpenVPN–OpenVPN | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | 2025-12-03 | not yet calculated | CVE-2025-13086 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html |
| OpenVPN–OpenVPN | Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | 2025-12-03 | not yet calculated | CVE-2025-13751 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13751 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.htmlhttps:// https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html |
| Perforce–BlazeMeter | A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | 2025-12-03 | not yet calculated | CVE-2025-13472 | https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin |
| Ping Identity–One-Time Passcode Integration Kit for PingFederate | The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication. | 2025-12-04 | not yet calculated | CVE-2025-27935 | https://support.pingidentity.com/s/article/SECADV051-PingFederate-OTP-Integration-Kit-authentication-bypass https://www.pingidentity.com/en/resources/downloads/pingfederate.html |
| Portkey-AI–gateway | Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0. | 2025-12-01 | not yet calculated | CVE-2025-66405 | https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp https://github.com/Portkey-AI/gateway/pull/1372 https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885 |
| Pure Storage–PX Enterprise | A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions. | 2025-12-04 | not yet calculated | CVE-2025-9127 | https://support.purestorage.com/category/m_pure_storage_product_security |
| Python Software Foundation–CPython | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | 2025-12-03 | not yet calculated | CVE-2025-12084 | https://github.com/python/cpython/pull/142146 https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0 https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964 |
| Python Software Foundation–CPython | When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | 2025-12-01 | not yet calculated | CVE-2025-13836 | https://github.com/python/cpython/issues/119451 https://github.com/python/cpython/pull/119454 https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155 https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5 https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/ https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 |
| Python Software Foundation–CPython | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | 2025-12-01 | not yet calculated | CVE-2025-13837 | https://github.com/python/cpython/pull/119343 https://github.com/python/cpython/issues/119342 https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/ |
| R Radio Network–Radio Network FM Transmitter | R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user’s password through the system.cgi endpoint, enabling authentication bypass and FM station setup access. | 2025-12-04 | not yet calculated | CVE-2024-58277 | ExploitDB-51855 Security Advisory for ZSL-2023-5802 https://www.vulncheck.com/advisories/r-radio-network-fm-transmitter-107-system-settings-disclosure |
| Remotecontrolio–Remote Keyboard Desktop | Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution. | 2025-12-04 | not yet calculated | CVE-2025-66576 | ExploitDB-52299 Vendor Homepage Software Link https://www.vulncheck.com/advisories/remote-keyboard-desktop-101-remote-code-execution-rce |
| ReQuest Serious Play LLC–ReQuest Serious Play Media Player | ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the ‘file’ parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources. | 2025-12-05 | not yet calculated | CVE-2020-36878 | Exploit Database Entry 48949 Zero Science Advisory ZSL-2020-5599 https://www.vulncheck.com/advisories/request-serious-play-f-media-player-directory-traversal-file-disclosure |
| ReQuest Serious Play LLC–ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver’s Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page. | 2025-12-05 | not yet calculated | CVE-2020-36876 | Exploit Database Entry 48950 Software Link Advisory URL https://www.vulncheck.com/advisories/request-serious-play-f-media-server-debug-log-disclosure |
| ReQuest Serious Play LLC–ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server. | 2025-12-05 | not yet calculated | CVE-2020-36877 | Exploit Database Entry 48952 Vendor Security Advisory for ZSL-2020-5602 Official Product Homepage https://www.vulncheck.com/advisories/request-serious-play-f-media-server-unauthenticated-rce |
| Revive–Revive Adserver | HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne users, such as itz_hari_ and khoof. | 2025-12-02 | not yet calculated | CVE-2025-55129 | https://hackerone.com/reports/3434156 |
| rommapp–romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65096 | https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c |
| rommapp–romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65097 | https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g |
| Sanoma–Clickedu | Reflected Cross-site Scripting (XSS) vulnerability in Sanoma’s Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL in ‘/students/carpetes_varies.php’. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2025-12-01 | not yet calculated | CVE-2025-41070 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu |
| Seafile–Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim’s browser by storing malicious payloads with PUT parámetro ‘name’ in ‘/api/v2.1/user/’. | 2025-12-04 | not yet calculated | CVE-2025-41079 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| Seafile–Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim’s browser by storing malicious payloads with POST parámetro ‘p’ in ‘/api/v2.1/repos/{repo_id}/file/’. | 2025-12-04 | not yet calculated | CVE-2025-41080 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 v0.9.2. This vulnerability allows an attacker to remotely exploit memory corruption through the ‘read_packet()’ function of the TACACSPLUS implementation. | 2025-12-02 | not yet calculated | CVE-2025-11778 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in CircutorSGE-PLC1000/SGE-PLC50 v9.0.2. The ‘SetLan’ function is invoked when a new configuration is applied. This new configuration function is activated by a management web request, which can be invoked by a user when making changes to the ‘index.cgi’ web application. The parameters are not being sanitised, which could lead to command injection. | 2025-12-02 | not yet calculated | CVE-2025-11779 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the ‘showMeterReport()’ function, there is an unlimited user input that is copied to a fixed-size buffer via ‘sprintf()’. The ‘GetParameter(meter)’ function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the “meter” parameter. | 2025-12-02 | not yet calculated | CVE-2025-11780 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges. | 2025-12-02 | not yet calculated | CVE-2025-11781 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The ‘ShowDownload()’ function uses “sprintf()” to format a string that includes the user-controlled input of ‘GetParameter(meter)’ in the fixed-size buffer ‘acStack_4c’ (64 bytes) without checking the length. An attacker can provide an excessively long value for the ‘meter’ parameter that exceeds the 64-byte buffer size. | 2025-12-02 | not yet calculated | CVE-2025-11782 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The vulnerability is found in the ‘AddEvent()’ function when copying the user-controlled username input to a fixed-size buffer (48 bytes) without boundary checking. This can lead to memory corruption, resulting in possible remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-11783 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the ‘ShowMeterDatabase()’ function, there is an unlimited user input that is copied to a fixed-size buffer via ‘sprintf()’. The ‘GetParameter(meter)’ function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the ‘meter’ parameter. | 2025-12-02 | not yet calculated | CVE-2025-11784 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the ‘ShowMeterPasswords()’ function, there is an unlimited user input that is copied to a fixed-size buffer via ‘sprintf()’. The ‘GetParameter(meter)’ function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the ‘meter’ parameter. | 2025-12-02 | not yet calculated | CVE-2025-11785 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the ‘SetUserPassword()’ function, the ‘newPassword’ parameter is directly embedded in a shell command string using ‘sprintf()’ without any sanitisation or validation, and then executed using ‘system()’. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application. | 2025-12-02 | not yet calculated | CVE-2025-11786 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the ‘GetDNS()’, ‘CheckPing()’ and ‘TraceRoute()’ functions. | 2025-12-02 | not yet calculated | CVE-2025-11787 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the ‘ShowSupervisorParameters()’ function, there is an unlimited user input that is copied to a fixed-size buffer via ‘sprintf()’. The ‘GetParameter(meter)’ function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the ‘meter’ parameter. | 2025-12-02 | not yet calculated | CVE-2025-11788 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50–Circutor | Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The ‘DownloadFile’ function converts a parameter to an integer using ‘atoi()’ and then uses it as an index in the ‘FilesDownload’ array with ‘(&FilesDownload)[iVar2]’. If the parameter is too large, it will access memory beyond the limits. | 2025-12-02 | not yet calculated | CVE-2025-11789 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| silabs.com–Gecko SDK | When a WF200/WGM160P device is configured to operate as an Access Point, it may be vulnerable to a denial of service triggered by a malformed packet. The device may recover automatically or require a hard reset. | 2025-12-04 | not yet calculated | CVE-2025-12986 | https://community.silabs.com/068Vm00000akaGr |
| silabs.com–Simplicity Studio V6 | The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user’s domain password. | 2025-12-04 | not yet calculated | CVE-2025-10285 | https://community.silabs.com/a45Vm0000003UcfIAE |
| SOLIDserver–SOLIDserver IPAM | Directory traversal vulnerability in SOLIDserver IPAM v8.2.3. This vulnerability allows an authenticated user with administrator privileges to list directories other than those to which the have authorized access using the ‘directory’ parameter in ‘/mod/ajax.php?action=sections/list/list’.For examplem setting the ‘directory’ parameter to ‘/’ displays files outside the ‘LOCAL:///’ folder. | 2025-12-02 | not yet calculated | CVE-2025-13879 | https://www.incibe.es/en/incibe-cert/notices/aviso/directory-traversal-vulnerability-efficientips-solidserver-ipam https://efficientip.com/resources/solidserver-ipam-solutions-3/ |
| SolisCloud–Monitoring Platform (Cloud API & Device Control API) | The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. | 2025-12-04 | not yet calculated | CVE-2025-13932 | url |
| Sonatype–Nexus Repository | Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context. | 2025-12-04 | not yet calculated | CVE-2025-13488 | https://help.sonatype.com/en/sonatype-nexus-repository-3-87-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/46896142768019 |
| Sony Corporation–INZONE Hub | The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer. | 2025-12-01 | not yet calculated | CVE-2025-64772 | https://www.sony.com/electronics/support/others-software/inzone-hub https://jvn.jp/en/jp/JVN28247549/ |
| syntax-tree–mdast-util-to-hast | mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1. | 2025-12-01 | not yet calculated | CVE-2025-66400 | https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7 |
| taikoxyz–taiko-mono | Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer. | 2025-12-04 | not yet calculated | CVE-2025-66559 | https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8 |
| TCMAN–GIM | Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the ‘pda:userId’ and ‘pda:newPassword’ parameters with ‘soapaction UnlockUser’ in ‘/WS/PDAWebService.asmx’. | 2025-12-02 | not yet calculated | CVE-2025-41012 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN–GIM | SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the ‘idmant’ parameter in ‘/PC/frmEPIS.aspx’. | 2025-12-02 | not yet calculated | CVE-2025-41013 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN–GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the ‘pda:username’ parameter with ‘soapaction GetLastDatePasswordChange’ in ‘/WS/PDAWebService.asmx’. | 2025-12-02 | not yet calculated | CVE-2025-41014 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN–GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the ‘pda:username’ parameter with ‘soapaction GetUserQuestionAndAnswer’ in ‘/WS/PDAWebService.asmx’. | 2025-12-02 | not yet calculated | CVE-2025-41015 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| The Qt Company–Qt | Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0. | 2025-12-03 | not yet calculated | CVE-2025-12385 | https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239 https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766 |
| TOTOLINK–N300RT | TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter. | 2025-12-03 | not yet calculated | CVE-2025-34319 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/154/ids/36.html https://totolink.tw/support_view/N300RT https://www.vulncheck.com/advisories/totolink-n300rt-boa-formwsc-rce |
| Unknown–db-access | The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | 2025-12-02 | not yet calculated | CVE-2025-13000 | https://wpscan.com/vulnerability/aec53f87-6500-4c8a-925a-146be61bbabf/ |
| Unknown–donation | The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | 2025-12-02 | not yet calculated | CVE-2025-13001 | https://wpscan.com/vulnerability/4e7a8154-46bf-44c9-ad9a-273e99ae2104/ |
| Unknown–Timetable and Event Schedule by MotoPress ver. < 2.4.16 | The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor. | 2025-12-03 | not yet calculated | CVE-2025-12954 | https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/ |
| Unknown–UNA CMS ver 9.0.0 | UNA CMS versions 9.0.0-RC1 – 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code. | 2025-12-04 | not yet calculated | CVE-2025-66571 | ExploitDB-52139 UNA CMS Homepage UNA CMS GitHub Repository Karma Security Advisory https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection |
| Unknown–Upload.am plugin ver. < 1.0.1 | The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options. | 2025-12-02 | not yet calculated | CVE-2025-12630 | https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/ |
| urllib3–urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. | 2025-12-05 | not yet calculated | CVE-2025-66418 | https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 |
| urllib3–urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3’s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. | 2025-12-05 | not yet calculated | CVE-2025-66471 | https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37 https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7 |
| VeePN–VeeVPN | VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem. | 2025-12-04 | not yet calculated | CVE-2025-66575 | ExploitDB-52088 VeePN Homepage VeePN GitHub Repository https://www.vulncheck.com/advisories/veevpn-161-unquoted-service-path-remote-code-execution |
| WatchGuard–Fireware OS | A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. This vulnerability affects Fireware OS 12.0 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-11838 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00018 |
| WatchGuard–Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12026 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00017 |
| WatchGuard–Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12195 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00019 |
| WatchGuard–Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12196 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00020 |
| WatchGuard–Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13936 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00021 |
| WatchGuard–Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13937 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00022 |
| WatchGuard–Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13938 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023 |
| WatchGuard–Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13939 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00024 |
| WatchGuard–Fireware OS | An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13940 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026 |
| WatchGuard–Fireware OS | An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-1545 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025 |
| WatchGuard–Fireware OS | A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS’s certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This issue affects Fireware OS: from 12.0 through 12.5.12+701324, from 12.6 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1547 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00013 |
| WatchGuard–Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in WatchGuard Fireware OS allows Stored XSS via the IPS module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Firebox: from 12.0 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-6946 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00011 |
| WatchGuard–Mobile VPN with SSL Client | The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.This issue affects the Mobile VPN with SSL Client 12.0 up to and including 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1910 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00008 |
| WEBIGniter–WEBIGniter | WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks. | 2025-12-04 | not yet calculated | CVE-2023-53735 | ExploitDB-51900 Official WEBIGniter Homepage WEBIGniter Demo Page https://www.vulncheck.com/advisories/webigniter-28723-cross-site-scripting-xss-in-user-creation-process |
| xwiki–xwiki-platform | XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0. | 2025-12-01 | not yet calculated | CVE-2025-55749 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9 https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10 https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b…99a04a0e2143583f5154a43e02174155da7e8e10 https://jira.xwiki.org/browse/XWIKI-23438 |
| yawkat–lz4-java | yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. | 2025-12-05 | not yet calculated | CVE-2025-66566 | https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840 |
| Zabbix–Zabbix | An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss. | 2025-12-01 | not yet calculated | CVE-2025-27232 | https://support.zabbix.com/browse/ZBX-27282 |
| Zabbix–Zabbix | Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory. | 2025-12-01 | not yet calculated | CVE-2025-49642 | https://support.zabbix.com/browse/ZBX-27283 |
| Zabbix–Zabbix | An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service. | 2025-12-01 | not yet calculated | CVE-2025-49643 | https://support.zabbix.com/browse/ZBX-27284 |