High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Unknown–Typora | Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the ‘run command’ input field during PDF export to achieve remote code execution. | 2025-12-12 | 9.8 | CVE-2024-14010 | ExploitDB-51752 Typora Vendor Homepage VulnCheck Advisory: Typora 1.7.4 OS Command Injection via Export PDF Preferences |
| PCMan–FTP Server | PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the ‘pwd’ command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access. | 2025-12-12 | 9.8 | CVE-2024-58299 | ExploitDB-51767 PCMan FTP Server Sourceforge Page VulnCheck Advisory: PCMan FTP Server 2.0 Remote Buffer Overflow via ‘pwd’ Command |
| dormakaba–Dormakaba Saflok System 6000 | Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation of the card’s unique identifier. | 2025-12-12 | 9.8 | CVE-2024-58311 | ExploitDB-51832 Dormakaba Vendor Homepage VulnCheck Advisory: Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness |
| Ivanti–Endpoint Manager | Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required. | 2025-12-09 | 9.6 | CVE-2025-10573 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| rupok98–URL Shortener Plugin For WordPress | The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 9.8 | CVE-2025-10738 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b4acf11-114a-4e97-89cd-1d387f14a730?source=cve https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852 https://wordpress.org/plugins/exact-links/ |
| Personal Project–Panilux | Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product. | 2025-12-09 | 9.6 | CVE-2025-11022 | https://www.usom.gov.tr/bildirim/tr-25-0433 |
| recorp–Export WP Pages to HTML & PDF Simply Create a Static Website | The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like ‘administrator.’ | 2025-12-13 | 9.8 | CVE-2025-11693 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cd28ac3c-aaef-49e3-843d-8532404703c9?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388166%40export-wp-page-to-static-html&new=3388166%40export-wp-page-to-static-html&sfp_email=&sfph_mail= |
| TalentSoft Software–UNIS | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in TalentSoft Software UNIS allows SQL Injection. This issue affects UNIS: before 42321. | 2025-12-09 | 9.8 | CVE-2025-12504 | https://www.usom.gov.tr/bildirim/tr-25-0435 |
| lazycoders–LazyTasks Project & Task Management with Collaboration, Kanban and Gantt Chart | The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user’s identity via the ‘wp-json/lazytasks/api/v1/user/role/edit/’ REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user’s email addresses, including administrators, and leverage that to reset the user’s password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin | 2025-12-12 | 9.8 | CVE-2025-12963 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve https://wordpress.org/plugins/lazytasks-project-task-management/ |
| D-Link–DCS-F5614-L1 | A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. | 2025-12-10 | 9.4 | CVE-2025-13607 | url https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-343-03.json |
| Elated Themes–Elated Membership | The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the ‘eltdf_membership_check_facebook_user’ and the ‘eltdf_membership_login_user_from_social_network’ function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user’s email. | 2025-12-10 | 9.8 | CVE-2025-13613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760 |
| ApusTheme–WP CarDealer | The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the ‘WP_CarDealer_User::process_register’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2025-12-11 | 9.8 | CVE-2025-13764 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4893d9c-e039-43df-80b9-dbe42374caed?source=cve https://themeforest.net/item/boxcar-automotive-car-dealer-wordpress-theme/49741717 |
| pgadmin.org–pgAdmin 4 | pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | 2025-12-11 | 9.1 | CVE-2025-13780 | https://github.com/pgadmin-org/pgadmin4/issues/9368 |
| ConnectWise–ScreenConnect | In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed. | 2025-12-11 | 9.1 | CVE-2025-14265 | https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch |
| sh1zen–Multi Uploader for Gravity Forms | The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘plupload_ajax_delete_file’ function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2025-12-12 | 9.8 | CVE-2025-14344 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve https://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41 |
| jayarsiech–JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the ‘jay_login_register_process_switch_back’ function with the ‘jay_login_register_process_switch_back’ cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. | 2025-12-13 | 9.8 | CVE-2025-14440 | https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98 |
| UTT– 512W | A vulnerability was determined in UTT 进取 512W up to 3.1.7.7-171114. This impacts the function strcpy of the file /goform/formNatStaticMap of the component Endpoint. Executing manipulation of the argument NatBind can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 9.8 | CVE-2025-14534 | VDB-335873 | UTT 进取 512W Endpoint formNatStaticMap strcpy buffer overflow VDB-335873 | CTI Indicators (IOB, IOC, IOA) Submit #703620 | UTT / 艾泰 Aggressive 512W <= v3.1.7.7-171114 Buffer Overflow / Memory Corruption https://github.com/maximdevere/CVE2/issues/6 |
| UTT– 512W | A vulnerability was identified in UTT 进取 512W up to 3.1.7.7-171114. Affected is the function strcpy of the file /goform/formConfigFastDirectionW. The manipulation of the argument ssid leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 9.8 | CVE-2025-14535 | VDB-335874 | UTT 进取 512W formConfigFastDirectionW strcpy buffer overflow VDB-335874 | CTI Indicators (IOB, IOC, IOA) Submit #703621 | UTT / 艾泰 Aggressive 512W <= v3.1.7.7-171114 Buffer Overflow / Memory Corruption https://github.com/maximdevere/CVE2/issues/7 |
| Tenda–WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/DhcpListClient of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-14 | 9.8 | CVE-2025-14665 | VDB-336397 | Tenda WH450 HTTP Request DhcpListClient stack-based overflow VDB-336397 | CTI Indicators (IOB, IOC, IOA) Submit #714400 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/DhcpListClient/DhcpListClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/DhcpListClient/DhcpListClient.md#reproduce https://www.tenda.com.cn/ |
| Infinera–MTC-9 | Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 9.8 | CVE-2025-27019 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019 |
| Infinera–MTC-9 | Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 9.8 | CVE-2025-27020 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020 |
| WAGO–Indsutrial-Managed-Switches | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 2025-12-10 | 9.8 | CVE-2025-41730 | https://certvde.com/de/advisories/VDE-2025-095 |
| WAGO–Indsutrial-Managed-Switches | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 2025-12-10 | 9.8 | CVE-2025-41732 | https://certvde.com/de/advisories/VDE-2025-095 |
| SAP_SE–SAP Solution Manager | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | 2025-12-09 | 9.9 | CVE-2025-42880 | https://me.sap.com/notes/3685270 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP jConnect – SDK for ASE | Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. | 2025-12-09 | 9.1 | CVE-2025-42928 | https://me.sap.com/notes/3685286 https://url.sap/sapsecuritypatchday |
| Fortinet–FortiSwitchManager | A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | 2025-12-09 | 9.1 | CVE-2025-59718 | https://fortiguard.fortinet.com/psirt/FG-IR-25-647 |
| Fortinet–FortiWeb | An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | 2025-12-09 | 9.1 | CVE-2025-59719 | https://fortiguard.fortinet.com/psirt/FG-IR-25-647 |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 9.1 | CVE-2025-61808 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged. | 2025-12-09 | 9.1 | CVE-2025-61809 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim’s browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64537 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim’s browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64538 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim’s browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64539 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 3 | 2025-12-11 | 9.8 | CVE-2025-66043 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 64 | 2025-12-11 | 9.8 | CVE-2025-66044 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 65 | 2025-12-11 | 9.8 | CVE-2025-66045 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 67 | 2025-12-11 | 9.8 | CVE-2025-66046 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 131 | 2025-12-11 | 9.8 | CVE-2025-66047 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project–libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 133 | 2025-12-11 | 9.8 | CVE-2025-66048 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| ThinkInAIXYZ–deepchat | DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insufficient and can be bypassed using unquoted HTML attributes combined with HTML entity encoding. Remote Code Execution is possible on the victim’s machine via the electron.ipcRenderer interface, bypassing the regex filter intended to strip dangerous attributes. There is no fix at time of publication. | 2025-12-09 | 9.7 | CVE-2025-66481 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-h9f5-7hhf-fqm4 |
| vitejs–vite-plugin-react | @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite –host to expose the server on all network interfaces. This issue is fixed in version 0.5.6. | 2025-12-09 | 9.8 | CVE-2025-67489 | https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr https://github.com/vitejs/vite-plugin-react/commit/fe634b58210d0a4a146a7faae56cd71af3bb9af4 |
| zitadel–zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1. | 2025-12-09 | 9.3 | CVE-2025-67494 | https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5 https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 |
| WBCE–WBCE_CMS | WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP’s rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5. | 2025-12-09 | 9.1 | CVE-2025-67504 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6 https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6 https://cwe.mitre.org/data/definitions/338.html https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| pipeshub-ai–pipeshub-ai | PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta. | 2025-12-10 | 9.8 | CVE-2025-67506 | https://github.com/pipeshub-ai/pipeshub-ai/security/advisories/GHSA-w398-9m55-2357 https://github.com/pipeshub-ai/pipeshub-ai/commit/987ebab40a1fc39956730ed93220f7f9b2c4e5f8 |
| neuron-core–neuron-ai | Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12. | 2025-12-10 | 9.4 | CVE-2025-67510 | https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9 https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12 |
| aliasrobotics–cai | Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication. | 2025-12-10 | 9.7 | CVE-2025-67511 | https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself |
| ShaneIsrael–fireshare | Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0. | 2025-12-12 | 9.8 | CVE-2025-67728 | https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72m https://github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34 |
| JBL–LIVE PRO 2 TWS | Due to improper BLE security configurations on the device’s GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | 2025-12-10 | 8.8 | CVE-2024-2104 | https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json https://certvde.com/en/advisories/VDE-2024-076 |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). The DHCP Server configuration file of the affected products is subject to code injection. An attacker could leverage this vulnerability to spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 8.8 | CVE-2024-56835 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| wondercms–WonderCMS | WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | 2025-12-12 | 8.8 | CVE-2024-58305 | ExploitDB-51805 WonderCMS Github Repository WonderCMS Homepage VulnCheck Advisory: WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation |
| ATCOM Technology co., LTD.–100M IP Phones | Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the ‘cmd’ parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials. | 2025-12-12 | 8.8 | CVE-2024-58314 | ExploitDB-51742 Atcom IP Phone Webpage VulnCheck Advisory: Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI |
| Insyde Software–InsydeH2O | Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption. | 2025-12-12 | 8.2 | CVE-2025-10451 | https://www.insyde.com/security-pledge/sa-2025009/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI.” | 2025-12-11 | 8 | CVE-2025-12029 | GitLab Issue #577975 HackerOne Bug Bounty Report #3317485 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content. | 2025-12-11 | 8.7 | CVE-2025-12716 | GitLab Issue #579548 HackerOne Bug Bounty Report #3405832 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| tharkun69–Player Leaderboard | The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the ‘player_leaderboard’ shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode’s ‘mode’ attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities. | 2025-12-12 | 8.8 | CVE-2025-12824 | https://www.wordfence.com/threat-intel/vulnerabilities/id/527f8f08-bab3-4319-99bf-845c8b378c19?source=cve https://plugins.trac.wordpress.org/browser/player-leaderboard/trunk/public/class-player-leaderboard-public.php#L1419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416129%40player-leaderboard&new=3416129%40player-leaderboard |
| Dassault Systmes–ENOVIA Collaborative Industry Innovator | A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user’s browser session. | 2025-12-08 | 8.7 | CVE-2025-12956 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-12956 |
| infility–Infility Global | The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-12 | 8.8 | CVE-2025-12968 | https://www.wordfence.com/threat-intel/vulnerabilities/id/542a18f6-9d17-4e54-85e1-e01630ca371e?source=cve https://wordpress.org/plugins/infility-global/ |
| wp3d–WP3D Model Import Viewer | The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-12-13 | 8.8 | CVE-2025-13094 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3144f190-232c-40c0-9e4b-d1cedfe52b26?source=cve https://wordpress.org/plugins/wp3d-model-import-block/ |
| IBM–Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password. | 2025-12-11 | 8.1 | CVE-2025-13148 | https://www.ibm.com/support/pages/node/7254434 |
| blazethemes–Blaze Demo Importer | The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the “blaze_demo_importer_install_demo” function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder. | 2025-12-12 | 8.1 | CVE-2025-13334 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6?source=cve https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.13/blaze-demo-importer.php?marks=67-89#L68 |
| IBM–Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input. | 2025-12-11 | 8.8 | CVE-2025-13481 | https://www.ibm.com/support/pages/node/7254434 |
| Nebim Neyir Computer Industry and Services Inc.–Nebim V3 ERP | Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database. This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1. | 2025-12-12 | 8.8 | CVE-2025-13506 | https://www.usom.gov.tr/bildirim/tr-25-0450 |
| Ivanti–Endpoint Manager | Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required. | 2025-12-09 | 8.8 | CVE-2025-13659 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| OpenPLC_V3–OpenPLC_V3 | OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. | 2025-12-13 | 8 | CVE-2025-13970 | https://github.com/thiagoralves/OpenPLC_v3 https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json |
| rodgerholl–Visitor Logic Lite | The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site. | 2025-12-12 | 8.1 | CVE-2025-14044 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131 https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131 |
| videomerchant–Video Merchant | The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-10 | 8.8 | CVE-2025-14390 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve https://wordpress.org/plugins/video-merchant |
| franciscopalacios–Postem Ipsum | The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary user accounts with the administrator role. | 2025-12-13 | 8.8 | CVE-2025-14397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/229c146d-3f99-4f63-9a6f-997075846815?source=cve https://plugins.trac.wordpress.org/browser/postem-ipsum/trunk/admin/postem-ipsum-admin.php#L1150 |
| nenad-obradovic–Extensive VC Addons for WPBakery page builder | The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter. | 2025-12-13 | 8.1 | CVE-2025-14475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/49711408-5d04-4fdd-a6c4-b224959ba1bc?source=cve https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L142 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L142 |
| unitecms–Doubly Cross Domain Copy Paste for WordPress | The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access. | 2025-12-13 | 8.8 | CVE-2025-14476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/functions.class.php#L1040 https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040 https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/importer.class.php#L2536 https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/importer.class.php#L2536 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers. | 2025-12-11 | 8.2 | CVE-2025-14523 | https://access.redhat.com/security/cve/CVE-2025-14523 RHBZ#2421349 |
| Tenda–CH22 | A security flaw has been discovered in Tenda CH22 1.0.0.1. This affects the function frmL7ImForm of the file /goform/L7Im. Performing manipulation of the argument page results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-11 | 8.8 | CVE-2025-14526 | VDB-335866 | Tenda CH22 L7Im frmL7ImForm buffer overflow VDB-335866 | CTI Indicators (IOB, IOC, IOA) Submit #703035 | Tenda CH22 V1.0.0.1 Buffer overflow vulnerability https://github.com/maximdevere/CVE2/issues/5 https://github.com/maximdevere/CVE2/issues/5#issue-3673676260 https://www.tenda.com.cn/ |
| UTT– 512W | A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-12 | 8.8 | CVE-2025-14572 | VDB-336196 | UTT 进取 512W formWebAuthGlobalConfig memory corruption VDB-336196 | CTI Indicators (IOB, IOC, IOA) Submit #704107 | UTT (AiTai) Jinqi 512W <=v3v1.7.7-171114 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/21 |
| Tenda–AC20 | A vulnerability was identified in Tenda AC20 16.03.08.12. The affected element is the function formSetPPTPUserList of the file /goform/setPptpUserList of the component httpd. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-14 | 8.8 | CVE-2025-14654 | VDB-336387 | Tenda AC20 httpd setPptpUserList formSetPPTPUserList stack-based overflow VDB-336387 | CTI Indicators (IOB, IOC, IOA) Submit #712899 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN12/AC20_SetPptpUserList.md https://www.tenda.com.cn/ |
| Tenda–AC20 | A security flaw has been discovered in Tenda AC20 16.03.08.12. The impacted element is the function formSetRebootTimer of the file /goform/SetSysAutoRebbotCfg of the component httpd. Performing manipulation of the argument rebootTime results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-14 | 8.8 | CVE-2025-14655 | VDB-336388 | Tenda AC20 httpd SetSysAutoRebbotCfg formSetRebootTimer stack-based overflow VDB-336388 | CTI Indicators (IOB, IOC, IOA) Submit #712910 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN13/AC20_SetSysAutoRebbotCfg.md https://www.tenda.com.cn/ |
| Tenda–AC20 | A weakness has been identified in Tenda AC20 16.03.08.12. This affects the function httpd of the file /goform/openSchedWifi. Executing manipulation of the argument schedStartTime/schedEndTime can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 8.8 | CVE-2025-14656 | VDB-336389 | Tenda AC20 openSchedWifi httpd buffer overflow VDB-336389 | CTI Indicators (IOB, IOC, IOA) Submit #712917 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN14/AC20_openSchedWifi.md https://www.tenda.com.cn/ |
| D-Link–DIR-860LB1 | A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-12-14 | 8.8 | CVE-2025-14659 | VDB-336391 | D-Link DIR-860LB1/DIR-868LB1 DHCP command injection VDB-336391 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713701 | D-Link DIR-860LB1 v203b03 Command Injection Submit #714709 | D-Link DIR-868LB1 v203b01 Command Injection (Duplicate) https://tzh00203.notion.site/D-Link-DIR-860LB1-v203b03-Command-Injection-in-DHCPd-2c6b5c52018a807eab1ae73dbd95eee3?source=copy_link https://tzh00203.notion.site/D-Link-DIR-868LB1-v203b01-Command-Injection-in-DHCPd-2c8b5c52018a805296c3dea51a7a4070?source=copy_link https://www.dlink.com/ |
| Infinera–MTC-9 | Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge. | 2025-12-08 | 8.6 | CVE-2025-26487 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-26487 |
| NVIDIA–Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2025-12-09 | 8.8 | CVE-2025-33213 | https://nvd.nist.gov/vuln/detail/CVE-2025-33213 https://www.cve.org/CVERecord?id=CVE-2025-33213 https://nvidia.custhelp.com/app/answers/detail/a_id/5739 |
| NVIDIA–NVTabular | NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2025-12-09 | 8.8 | CVE-2025-33214 | https://nvd.nist.gov/vuln/detail/CVE-2025-33214 https://www.cve.org/CVERecord?id=CVE-2025-33214 https://nvidia.custhelp.com/app/answers/detail/a_id/5739 |
| Siemens–COMOS V10.6 | A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2506.6000 with Cloud Entitlement (bundled as NX X)), Simcenter 3D (All versions < V2506.6000 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Femap (All versions < V2506.0002 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Studio (All versions), Simcenter System Architect (All versions), Tecnomatix Plant Simulation (All versions < V2504.0007). The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack. | 2025-12-09 | 8.1 | CVE-2025-40801 | https://cert-portal.siemens.com/productcert/html/ssa-710408.html https://cert-portal.siemens.com/productcert/html/ssa-212953.html |
| Siemens–SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application do not properly validate input parameters in its REST API, resulting in improper handling of unexpected arguments. This could allow an authenticated attacker to execute arbitrary code with limited privileges. | 2025-12-09 | 8.3 | CVE-2025-40937 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens–SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability. | 2025-12-09 | 8.1 | CVE-2025-40938 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| SAP_SE–SAP Web Dispatcher and Internet Communication Manager (ICM) | SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application. | 2025-12-09 | 8.2 | CVE-2025-42878 | https://me.sap.com/notes/3684682 https://url.sap/sapsecuritypatchday |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E client) – Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. By providing a valid hash for a malicious file, an attacker can cause the service to incorrectly validate and process the file as trusted, enabling arbitrary code execution under the Nomad Branch service context. | 2025-12-11 | 8.8 | CVE-2025-44016 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed. | 2025-12-09 | 8.4 | CVE-2025-61810 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerability to bypass security measures and execute malicious code. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 8.4 | CVE-2025-61811 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction. | 2025-12-09 | 8.4 | CVE-2025-61812 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 8.2 | CVE-2025-61813 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Microsoft–Windows 11 Version 25H2 | Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62456 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62549 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft–Azure Monitor | Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62550 | Azure Monitor Agent Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office LTSC 2024 | Access of resource using incompatible type (‘type confusion’) in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office LTSC 2024 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft–GitHub Copilot Plugin for JetBrains IDEs | Improper neutralization of special elements used in a command (‘command injection’) in Copilot allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Server Subscription Edition | Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2025-12-09 | 8.8 | CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Huawei–HarmonyOS | Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity. | 2025-12-08 | 8.4 | CVE-2025-66324 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 8.4 | CVE-2025-66328 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0. | 2025-12-11 | 8.8 | CVE-2025-66419 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7 https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0 |
| 1Panel-dev–MaxKB | MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow attackers to overwrite the built-in dynamic linker and other critical files, potentially resulting in privilege escalation. This issue is fixed in version 2.4.0. | 2025-12-11 | 8.8 | CVE-2025-66446 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xx2-3q9w-jpgf https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0 |
| MasaCMS–MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user’s session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic. | 2025-12-12 | 8.2 | CVE-2025-66492 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link’s target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod’s start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5. | 2025-12-09 | 8.1 | CVE-2025-66626 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1 https://github.com/advisories/GHSA-p84v-gxvw-73pf https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 |
| wasmi-labs–wasmi | Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi’s linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible. | 2025-12-09 | 8.4 | CVE-2025-66627 | https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq |
| zitadel–zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1. | 2025-12-09 | 8 | CVE-2025-67495 | https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 |
| okta–okta-sdk-java | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1. | 2025-12-10 | 8.4 | CVE-2025-67505 | https://github.com/okta/okta-sdk-java/security/advisories/GHSA-j5gq-897m-2rff https://github.com/okta/okta-sdk-java/commit/abf4f128a0441f90cb7efcdcf4bde1aef8703243 |
| filamentphp–filament | Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1. | 2025-12-10 | 8.1 | CVE-2025-67507 | https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 |
| neuron-core–neuron-ai | Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12. | 2025-12-10 | 8.2 | CVE-2025-67509 | https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36 https://github.com/neuron-core/neuron-ai/commit/72735d0ea133266cf2f5d5d195d41e9dd865289a https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12 |
| Webmin–Webmin | squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin’s Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the “cms” security option). | 2025-12-11 | 8.5 | CVE-2025-67738 | https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee https://github.com/webmin/webmin/compare/2.520…2.600 |
| Flow-Scanner–lightning-flow-scanner | Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6. | 2025-12-12 | 8.4 | CVE-2025-67750 | https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8 https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795 https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6 |
| NXLog–NXLog Agent | NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable. | 2025-12-14 | 8.1 | CVE-2025-67900 | https://docs.nxlog.co/agent/current/release-notes.html#nxlog-agent-6-11 |
| N/A–Vuetify | The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal ‘mergeDeep’ utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application’s behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ . | 2025-12-12 | 8.6 | CVE-2025-8083 | https://www.herodevs.com/vulnerability-directory/cve-2025-8083 https://codepen.io/herodevs/pen/RNWoaQM/f1f4ccc7e6a307c2a8c36d948ba14755 |
| GitLab–GitLab | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays. | 2025-12-11 | 8.7 | CVE-2025-8405 | GitLab Issue #558214 HackerOne Bug Bounty Report #3270940 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). During the Dynamic DNS configuration of the affected product it is possible to inject additional configuration parameters. Under certain circumstances, an attacker could leverage this vulnerability to spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 7.5 | CVE-2024-56836 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Due to the insufficient validation during the installation and load of certain configuration files of the affected device, an attacker could spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 7.2 | CVE-2024-56837 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). The SCEP client available in the affected device for secure certificate enrollment lacks validation of multiple fields. An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56838 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Code injection can be achieved when the affected device is using VRF (Virtual Routing and Forwarding). An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56839 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens–RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Under certain conditions, IPsec may allow code injection in the affected device. An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56840 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| SPA-Cart–SPA-CART CMS | SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the ‘descr’ parameter in the product edit form to execute arbitrary code in administrative users’ browsers. | 2025-12-11 | 7.5 | CVE-2024-58304 | ExploitDB-51919 VulnCheck Advisory: SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting via Product Description |
| PuneethReddyHC–online-shopping-system-advanced | Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered ‘cm’ parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter. | 2025-12-12 | 7.5 | CVE-2024-58316 | ExploitDB-51811 Product GitHub Repository VulnCheck Advisory: Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter |
| NomySoft Information Technology Training and Consulting Inc.–Nomysem | Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025. | 2025-12-10 | 7.1 | CVE-2025-1161 | https://www.usom.gov.tr/bildirim/tr-25-0440 |
| Lenovo–App Store | A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions. | 2025-12-10 | 7.8 | CVE-2025-12046 | https://iknow.lenovo.com.cn/detail/435004 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits. | 2025-12-11 | 7.5 | CVE-2025-12562 | GitLab Issue #579152 HackerOne Bug Bounty Report #3360710 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| radykal–Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-12-12 | 7.2 | CVE-2025-12570 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393 |
| widgetpack–Reviews Widget for Google, Yelp & Recommendations | The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the ‘trim_text’ function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5. | 2025-12-09 | 7.2 | CVE-2025-12705 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d2aa302-aaab-4bf1-9a79-144290b967de?source=cve https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L447 https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L449 https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L452 https://plugins.trac.wordpress.org/changeset/3393291/ https://plugins.trac.wordpress.org/changeset/3406362/ |
| Aksis Computer Services and Consulting Inc.–AxOnboard | Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers. This issue affects AxOnboard: from 3.2.0 before 3.3.0. | 2025-12-11 | 7.6 | CVE-2025-13003 | https://www.usom.gov.tr/bildirim/tr-25-0446 |
| payamito– () payamito sms woocommerce | The افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘columns’ parameter in all versions up to, and including, 1.3.5. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 7.5 | CVE-2025-13077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/75de6387-fac7-403d-9e6c-89570658d978?source=cve https://plugins.trac.wordpress.org/browser/payamito-sms-woocommerce/tags/1.3.5/includes/core/payamito-core/admin/class-payamito-admin.php#L64 https://plugins.trac.wordpress.org/browser/payamito-sms-woocommerce/tags/1.3.5/includes/core/payamito-core/includes/class-db.php#L64 https://owasp.org/www-community/attacks/SQL_Injection |
| listingthemes–WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the ‘hide_fields’ and the ‘attr_search’ parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 7.5 | CVE-2025-13089 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0696cbe-70e0-402d-bcfd-40907a973785?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412635%40wpdirectorykit&new=3412635%40wpdirectorykit&sfp_email=&sfph_mail= |
| Netiket Information Technologies Ltd. Co.–ApplyLogic | Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025. | 2025-12-11 | 7.6 | CVE-2025-13124 | https://www.usom.gov.tr/bildirim/tr-25-0447 |
| tomdever–wpForo Forum | The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-14 | 7.5 | CVE-2025-13126 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fd1704ef-e259-40a3-974b-128145bc8a4a?source=cve https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Topics.php?rev=3386327#L1641 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Posts.php?rev=3386327#L633 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentTopics.php?rev=3386327#L117 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentPosts.php?rev=3386327#L177 |
| Lenovo–One Client | A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges. | 2025-12-10 | 7.8 | CVE-2025-13152 | https://iknow.lenovo.com.cn/detail/435007 https://one.lenovo.com/ |
| Lenovo–Baiying Client | An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges. | 2025-12-10 | 7.8 | CVE-2025-13155 | https://iknow.lenovo.com.cn/detail/435005 |
| IBM–Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2025-12-11 | 7.6 | CVE-2025-13214 | https://www.ibm.com/support/pages/node/7254434 |
| hippooo–Hippoo Mobile App for WooCommerce | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-12-10 | 7.5 | CVE-2025-13339 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve https://plugins.trac.wordpress.org/changeset/3412701/ |
| cleantalk–Login Security, FireWall, Malware removal by CleanTalk | The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-09 | 7.2 | CVE-2025-13604 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e35eb83-716e-4177-99ba-24a884725265?source=cve https://plugins.trac.wordpress.org/browser/security-malware-firewall/tags/2.168/inc/spbc-settings.php#L2342 |
| Ivanti–Endpoint Manager | Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required. | 2025-12-09 | 7.1 | CVE-2025-13661 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| Ivanti–Endpoint Manager | Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required. | 2025-12-09 | 7.8 | CVE-2025-13662 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| cvedovini–LT Unleashed | The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the ‘template’ parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included. | 2025-12-12 | 7.5 | CVE-2025-13886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c72099cc-e70a-4afe-92c0-8f9f8c1e91b7?source=cve https://plugins.trac.wordpress.org/browser/lt-unleashed/trunk/lt-unleashed.php#L315 https://plugins.trac.wordpress.org/browser/lt-unleashed/tags/1.1.1/lt-unleashed.php#L315 https://plugins.trac.wordpress.org/browser/lt-unleashed/trunk/lt-unleashed.php#L241 |
| qdonow–WPNakama Team and multi-Client Collaboration, Editorial and Project Management | The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-12 | 7.5 | CVE-2025-14068 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9abfd0f5-f665-4745-9756-8445ddbdc29d?source=cve https://plugins.trac.wordpress.org/browser/wpnakama/trunk/inc/class-wpnakama.php#L197 https://plugins.trac.wordpress.org/browser/wpnakama/tags/0.6.3/inc/class-wpnakama.php#L197 https://plugins.trac.wordpress.org/browser/wpnakama/trunk/inc/class-wpnakama-api.php#L206 https://plugins.trac.wordpress.org/browser/wpnakama/tags/0.6.3/inc/class-wpnakama-api.php#L206 https://cwe.mitre.org/data/definitions/89.html https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412904%40wpnakama&new=3412904%40wpnakama&sfp_email=&sfph_mail= |
| amans2k–FunnelKit Funnel Builder for WooCommerce Checkout | The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘opid’ parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-12 | 7.5 | CVE-2025-14169 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fb19f920-0fd0-491e-9e87-62c828cad9b9?source=cve https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.5/modules/optins/admin/db/class-wffn-db-optin.php#L79 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.5/modules/optins/merge-tags/class-bwf-optin-tags.php#L126 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415550%40funnel-builder%2Ftrunk&old=3414128%40funnel-builder%2Ftrunk&sfp_email=&sfph_mail= |
| tushar-2223–Hotel-Management-System | A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-08 | 7.3 | CVE-2025-14207 | VDB-334650 | tushar-2223 Hotel-Management-System invoiceprint.php sql injection VDB-334650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700478 | tushar-2223 Hotel-Management-System latest SQL Injection https://github.com/yaklang/IRifyScanResult/blob/main/Hotel-Management-System/SQL_Injection_Vulnerability_Report.md |
| Campcodes–School File Management System | A weakness has been identified in Campcodes School File Management System 1.0. This impacts an unknown function of the file /update_query.php. This manipulation of the argument stud_id causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 7.3 | CVE-2025-14209 | VDB-334652 | Campcodes School File Management System update_query.php sql injection VDB-334652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700896 | Campcodes School File Management System 1.0 SQL Injection https://github.com/IdealDreamLast/PublicCVE/issues/1 https://www.campcodes.com/ |
| projectworlds–Advanced Library Management System | A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 7.3 | CVE-2025-14210 | VDB-334653 | projectworlds Advanced Library Management System delete_member.php sql injection VDB-334653 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700948 | projectworlds Advanced Library Management System 1.0 delete_member.php SQL injection https://github.com/rassec2/dbcve/issues/9 |
| projectworlds–Advanced Library Management System | A vulnerability was detected in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /delete_book.php. Performing manipulation of the argument book_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14211 | VDB-334654 | projectworlds Advanced Library Management System delete_book.php sql injection VDB-334654 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700949 | projectworlds Advanced Library Management System 1.0 delete_book.php SQL injection https://github.com/rassec2/dbcve/issues/10 |
| projectworlds–Advanced Library Management System | A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /member_search.php. Executing manipulation of the argument roll_number can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-08 | 7.3 | CVE-2025-14212 | VDB-334655 | projectworlds Advanced Library Management System member_search.php sql injection VDB-334655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700977 | projectworlds Advanced Library Management System 1.0 member_search.php SQL injection https://github.com/rassec2/dbcve/issues/11 |
| code-projects–Currency Exchange System | A vulnerability was found in code-projects Currency Exchange System 1.0. This vulnerability affects unknown code of the file /edit.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-12-08 | 7.3 | CVE-2025-14215 | VDB-334657 | code-projects Currency Exchange System edit.php sql injection VDB-334657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701151 | Code-Projects Currency Exchange System 1.0 /edit.php SQL Injection https://github.com/rassec2/dbcve/issues/12 https://code-projects.org/ |
| code-projects–Currency Exchange System | A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 7.3 | CVE-2025-14216 | VDB-334658 | code-projects Currency Exchange System viewserial.php sql injection VDB-334658 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701152 | Code-Projects Currency Exchange System 1.0 /viewserial.php SQL Injection https://github.com/rassec2/dbcve/issues/13 https://code-projects.org/ |
| code-projects–Currency Exchange System | A vulnerability was identified in code-projects Currency Exchange System 1.0. Impacted is an unknown function of the file /edittrns.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-12-08 | 7.3 | CVE-2025-14217 | VDB-334659 | code-projects Currency Exchange System edittrns.php sql injection VDB-334659 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701154 | Code-Projects Currency Exchange System 1.0 /edittrns.php SQL Injection https://github.com/rassec2/dbcve/issues/14 https://code-projects.org/ |
| code-projects–Currency Exchange System | A security flaw has been discovered in code-projects Currency Exchange System 1.0. The affected element is an unknown function of the file /editotheraccount.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-08 | 7.3 | CVE-2025-14218 | VDB-334660 | code-projects Currency Exchange System editotheraccount.php sql injection VDB-334660 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701155 | Code-Projects Currency Exchange System 1.0 /editotheraccount.php SQL Injection https://github.com/rassec2/dbcve/issues/15 https://code-projects.org/ |
| code-projects–Simple Leave Manager | A vulnerability has been found in code-projects Simple Leave Manager 1.0. Affected by this vulnerability is an unknown functionality of the file /request.php. Such manipulation of the argument staff_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14223 | VDB-334665 | code-projects Simple Leave Manager request.php sql injection VDB-334665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701639 | code-projects Simple Leave Manager In PHP With Source Code 1.0 SQL Injection https://github.com/woshilaiyi/cve/issues/4 https://code-projects.org/ |
| itsourcecode–Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well. | 2025-12-08 | 7.3 | CVE-2025-14226 | VDB-334668 | itsourcecode Student Management System edit_user.php sql injection VDB-334668 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701801 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/17 https://itsourcecode.com/ |
| n/a–IdeaCMS | A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14245 | VDB-334755 | IdeaCMS Coupon.php whereRaw sql injection VDB-334755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702437 | Shop (GoodPu Mall) IdeaCMS 1.0 goods_ids parame SQL Injection https://github.com/rassec2/dbcve/issues/17 |
| code-projects–Simple Shopping Cart | A vulnerability was identified in code-projects Simple Shopping Cart 1.0. Impacted is an unknown function of the file /adminlogin.php. The manipulation of the argument admin_username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-08 | 7.3 | CVE-2025-14248 | VDB-334758 | code-projects Simple Shopping Cart adminlogin.php sql injection VDB-334758 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702464 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/92 https://code-projects.org/ |
| code-projects–Online Ordering System | A security flaw has been discovered in code-projects Online Ordering System 1.0. The affected element is an unknown function of the file /user_school.php. The manipulation of the argument product_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-08 | 7.3 | CVE-2025-14249 | VDB-334759 | code-projects Online Ordering System user_school.php sql injection VDB-334759 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702465 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/93 https://code-projects.org/ |
| code-projects–Online Ordering System | A weakness has been identified in code-projects Online Ordering System 1.0. The impacted element is an unknown function of the file /user_contact.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 7.3 | CVE-2025-14250 | VDB-334760 | code-projects Online Ordering System user_contact.php sql injection VDB-334760 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702466 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/94 https://code-projects.org/ |
| code-projects–Online Ordering System | A security vulnerability has been detected in code-projects Online Ordering System 1.0. This affects an unknown function of the file /admin/ of the component Admin Login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 7.3 | CVE-2025-14251 | VDB-334761 | code-projects Online Ordering System Admin Login admin sql injection VDB-334761 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702467 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/95 https://code-projects.org/ |
| itsourcecode–Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /newcurriculm.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14256 | VDB-334762 | itsourcecode Student Management System newcurriculm.php sql injection VDB-334762 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702484 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/J0kkeR/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /newrecord.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-08 | 7.3 | CVE-2025-14257 | VDB-334763 | itsourcecode Student Management System newrecord.php sql injection VDB-334763 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702487 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/J0kkeR/cve/issues/2 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /newsubject.php. The manipulation of the argument sub leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14258 | VDB-334764 | itsourcecode Student Management System newsubject.php sql injection VDB-334764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702619 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/18 https://itsourcecode.com/ |
| Litmuschaos–litmus | The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack. | 2025-12-08 | 7.1 | CVE-2025-14261 | https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/ https://github.com/litmuschaos/litmus/pull/5324 |
| code-projects–Employee Profile Management System | A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-09 | 7.3 | CVE-2025-14285 | VDB-334873 | code-projects Employee Profile Management System edit_personnel.php sql injection VDB-334873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702684 | code-projects Employee Profile Management System V1 SQL injection https://github.com/tiancesec/CVE/issues/15 https://code-projects.org/ |
| ravynsoft–ravynos | NULL Pointer Dereference vulnerability in ravynsoft ravynos. This issue affects ravynos: through 0.5.2. | 2025-12-09 | 7.5 | CVE-2025-14309 | https://github.com/ravynsoft/ravynos/pull/502 |
| itsourcecode–Student Management System | A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-09 | 7.3 | CVE-2025-14334 | VDB-335159 | itsourcecode Student Management System new_adviser.php sql injection VDB-335159 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702741 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/19 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-09 | 7.3 | CVE-2025-14335 | VDB-335160 | itsourcecode Student Management System new_school_year.php sql injection VDB-335160 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702743 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/20 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-12-09 | 7.3 | CVE-2025-14336 | VDB-335161 | itsourcecode Student Management System promote.php sql injection VDB-335161 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702744 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/21 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-09 | 7.3 | CVE-2025-14337 | VDB-335162 | itsourcecode Student Management System new_grade.php sql injection VDB-335162 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702745 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/22 https://itsourcecode.com/ |
| Campcodes–Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-12-11 | 7.3 | CVE-2025-14514 | VDB-335852 | Campcodes Supplier Management System add_distributor.php sql injection VDB-335852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702752 | Campcodes Supplier Management System V1.0 SQL Injection Submit #702760 | Campcodes Supplier Management System V1.0 SQL Injection (Duplicate) https://github.com/ProgramShowMaker/CVE/issues/4 https://github.com/ProgramShowMaker/CVE/issues/5 https://www.campcodes.com/ |
| Campcodes–Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_unit.php. Such manipulation of the argument txtunitDetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-11 | 7.3 | CVE-2025-14515 | VDB-335853 | Campcodes Supplier Management System add_unit.php sql injection VDB-335853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704108 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/falling-snow1/vuldb/issues/3 https://www.campcodes.com/ |
| projectworlds–Advanced Library Management System | A weakness has been identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /view_book.php. Executing manipulation of the argument book_id can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-11 | 7.3 | CVE-2025-14527 | VDB-335867 | projectworlds Advanced Library Management System view_book.php sql injection VDB-335867 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703096 | Projectworlds Library Management System V1.0 SQL Injection https://github.com/Sunhaobin318/CVE/issues/8 |
| Campcodes–Retro Basketball Shoes Online Store | A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The affected element is an unknown function of the file /admin/admin_running.php. This manipulation of the argument pid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-11 | 7.3 | CVE-2025-14529 | VDB-335870 | Campcodes Retro Basketball Shoes Online Store admin_running.php sql injection VDB-335870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703191 | Campcodes Retro Basketball Shoes Online Store V1.0 SQL Injection https://github.com/Rowantu/CVE/issues/7 https://www.campcodes.com/ |
| code-projects–Class and Exam Timetable Management | A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the argument username/password results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-11 | 7.3 | CVE-2025-14536 | VDB-335875 | code-projects Class and Exam Timetable Management Login index.php sql injection VDB-335875 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703700 | code projects Class and Exam Timetable Management System 1.0 SQL injection Submit #703701 | code projects Class and Exam Timetable Management System 1.0 SQL injection (Duplicate) https://github.com/woshilaiyi/cve/issues/11 https://github.com/woshilaiyi/cve/issues/12 https://code-projects.org/ |
| code-projects–Class and Exam Timetable Management | A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. Affected by this issue is some unknown functionality of the file /preview7.php. This manipulation of the argument course_year_section/semester causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-11 | 7.3 | CVE-2025-14537 | VDB-335876 | code-projects Class and Exam Timetable Management preview7.php sql injection VDB-335876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703712 | code projects Class and Exam Timetable Management System 1.0 SQL injection Submit #703717 | code projects Class and Exam Timetable Management System 1.0 SQL injection (Duplicate) https://github.com/woshilaiyi/cve/issues/13 https://github.com/woshilaiyi/cve/issues/14 https://code-projects.org/ |
| n/a– python-utcp | The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client. | 2025-12-13 | 7.5 | CVE-2025-14542 | https://research.jfrog.com/vulnerabilities/python-utcp-untrusted-manual-command-execution-jfsa-2025-001648329/ https://github.com/universal-tool-calling-protocol/python-utcp/commit/2dc9c02df72cad3770c934959325ec344b441444 |
| kidaze–CourseSelectionSystem | A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The affected element is an unknown function of the file /Profilers/SProfile/login1.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-12-12 | 7.3 | CVE-2025-14565 | VDB-336189 | kidaze CourseSelectionSystem login1.php sql injection VDB-336189 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703875 | github.com Course Selection System v1.0 SQL injection https://github.com/Anti1i/cve/issues/1 |
| kidaze–CourseSelectionSystem | A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The impacted element is an unknown function of the file /Profilers/SProfile/reg.php. Performing manipulation of the argument USN results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-12 | 7.3 | CVE-2025-14566 | VDB-336190 | kidaze CourseSelectionSystem reg.php sql injection VDB-336190 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703876 | github.com Course Selection System v1.0 SQL injection Submit #704951 | github.com Course Selection System Project V1.0 SQL Injection (Duplicate) https://github.com/Anti1i/cve/issues/2 |
| projectworlds–Advanced Library Management System | A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-12 | 7.3 | CVE-2025-14570 | VDB-336194 | projectworlds Advanced Library Management System view_admin.php sql injection VDB-336194 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704087 | projectworlds Library Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/1 |
| projectworlds–Advanced Library Management System | A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-12 | 7.3 | CVE-2025-14571 | VDB-336195 | projectworlds Advanced Library Management System borrow_book.php sql injection VDB-336195 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704088 | Projectworlds Library Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/2 |
| itsourcecode–Student Management System | A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-12 | 7.3 | CVE-2025-14578 | VDB-336200 | itsourcecode Student Management System update_account.php sql injection VDB-336200 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704794 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/23 https://itsourcecode.com/ |
| campcodes–Online Student Enrollment System | A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-12 | 7.3 | CVE-2025-14583 | VDB-336203 | campcodes Online Student Enrollment System register.php unrestricted upload VDB-336203 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705525 | campcodes Online Student Enrollment System V1.0 Unrestricted Upload https://github.com/CHENCHOUCHOU/vuln/issues/1 https://www.campcodes.com/ |
| itsourcecode–COVID Tracking System | A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-12 | 7.3 | CVE-2025-14584 | VDB-336204 | itsourcecode COVID Tracking System Admin Login login.php sql injection VDB-336204 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705534 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Wegetmore/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode–COVID Tracking System | A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=zone. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-12 | 7.3 | CVE-2025-14585 | VDB-336205 | itsourcecode COVID Tracking System page sql injection VDB-336205 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705535 | itsourcecode COVID Tracking System V1.0 SQL Injection Submit #706053 | itsourcecode COVID Tracking System V1.0 L Injection (Duplicate) https://github.com/Ggeee3/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode–Online Pet Shop Management System | A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-13 | 7.3 | CVE-2025-14587 | VDB-336207 | itsourcecode Online Pet Shop Management System available.php sql injection VDB-336207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705670 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/tzm113/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-13 | 7.3 | CVE-2025-14588 | VDB-336208 | itsourcecode Student Management System update_program.php sql injection VDB-336208 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707081 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/24 https://itsourcecode.com/ |
| code-projects–Prison Management System | A security vulnerability has been detected in code-projects Prison Management System 2.0. Impacted is an unknown function of the file /admin/search1.php. The manipulation of the argument keyname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-13 | 7.3 | CVE-2025-14590 | VDB-336210 | code-projects Prison Management System search1.php sql injection VDB-336210 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707096 | code-projects Prison Management System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL19.md https://code-projects.org/ |
| code-projects–Student File Management System | A vulnerability was found in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login_query.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-13 | 7.3 | CVE-2025-14619 | VDB-336304 | code-projects Student File Management System login_query.php sql injection VDB-336304 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707101 | Code-projects Student File Management System 1.0 SQL Injection Submit #709095 | Code-projects Student File Management System v1.0 Authentication Bypass by Primary Weakness (Duplicate) https://github.com/jjjjj-zr/jjjjjzr2/issues/2 https://code-projects.org/ |
| code-projects–Student File Management System | A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-13 | 7.3 | CVE-2025-14620 | VDB-336305 | code-projects Student File Management System login_query.php sql injection VDB-336305 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707109 | Code-projects Student File Management System 1.0 SQL Injection Submit #709074 | Code-projects Student File Management System v1.0 Authentication Bypass by Primary Weakness (Duplicate) https://github.com/jjjjj-zr/jjjjjzr3/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-13 | 7.3 | CVE-2025-14621 | VDB-336306 | code-projects Student File Management System update_user.php sql injection VDB-336306 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707132 | Code-projects Student File Management System 1.0 SQL injection https://github.com/jjjjj-zr/jjjjjzr4/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-13 | 7.3 | CVE-2025-14622 | VDB-336307 | code-projects Student File Management System save_user.php sql injection VDB-336307 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707135 | Code-projects Student File Management System 1.0 SQL injection Submit #709197 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr5/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 7.3 | CVE-2025-14623 | VDB-336308 | code-projects Student File Management System update_student.php sql injection VDB-336308 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707157 | Code-projects Student File Management System 1.0 SQL injection Submit #709202 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr6/issues/1 https://code-projects.org/ |
| itsourcecode–Online Pet Shop Management System | A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 7.3 | CVE-2025-14637 | VDB-336362 | itsourcecode Online Pet Shop Management System addcnp.php sql injection VDB-336362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707271 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/sec-dreamer/vulpxnPolm/issues/1 https://itsourcecode.com/ |
| itsourcecode–Online Pet Shop Management System | A security vulnerability has been detected in itsourcecode Online Pet Shop Management System 1.0. This issue affects some unknown processing of the file /pet1/update_cnp.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 7.3 | CVE-2025-14638 | VDB-336363 | itsourcecode Online Pet Shop Management System update_cnp.php sql injection VDB-336363 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709625 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/qingdus/temp_cve/issues/2 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /uprec.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14639 | VDB-336364 | itsourcecode Student Management System uprec.php sql injection VDB-336364 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710017 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/25 https://itsourcecode.com/ |
| code-projects–Student File Management System | A flaw has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /admin/save_student.php. Executing manipulation of the argument stud_no can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14640 | VDB-336365 | code-projects Student File Management System save_student.php sql injection VDB-336365 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710162 | Code-projects Student File Management System v1.0 SQL Injection Submit #709201 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr14/issues/1 https://code-projects.org/ |
| code-projects–Simple Attendance Record System | A vulnerability was found in code-projects Simple Attendance Record System 2.0. The affected element is an unknown function of the file /check.php. Performing manipulation of the argument student results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-14 | 7.3 | CVE-2025-14643 | VDB-336376 | code-projects Simple Attendance Record System check.php sql injection VDB-336376 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708236 | code-projects Simple Attendance Record System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL20.md https://code-projects.org/ |
| itsourcecode–Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /update_subject.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 7.3 | CVE-2025-14644 | VDB-336377 | itsourcecode Student Management System update_subject.php sql injection VDB-336377 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708739 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/Bai-public/CVE/issues/2 https://itsourcecode.com/ |
| code-projects–Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown function of the file /admin/delete_user.php. The manipulation of the argument user_id leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-14 | 7.3 | CVE-2025-14645 | VDB-336378 | code-projects Student File Management System delete_user.php sql injection VDB-336378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709003 | Code-projects Student File Management System 1.0 SQL Injection Submit #709187 | Fabian Ros Student File Management System in PHP 1.0 (Released 2025-12-03) SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr7/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A security flaw has been discovered in code-projects Student File Management System 1.0. This impacts an unknown function of the file /admin/delete_student.php. The manipulation of the argument stud_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-14 | 7.3 | CVE-2025-14646 | VDB-336379 | code-projects Student File Management System delete_student.php sql injection VDB-336379 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709032 | Code-projects Student File Management System v1.0 SQL Injection Submit #709193 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr8/issues/1 https://code-projects.org/ |
| code-projects–Computer Book Store | A weakness has been identified in code-projects Computer Book Store 1.0. Affected is an unknown function of the file /admin_delete.php. This manipulation of the argument bookisbn causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 7.3 | CVE-2025-14647 | VDB-336380 | code-projects Computer Book Store admin_delete.php sql injection VDB-336380 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709618 | Code-projects Computer Book Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr11/issues/2 https://code-projects.org/ |
| itsourcecode–Online Cake Ordering System | A vulnerability was detected in itsourcecode Online Cake Ordering System 1.0. Affected by this issue is some unknown functionality of the file /cakeshop/supplier.php. Performing manipulation of the argument supplier results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14649 | VDB-336382 | itsourcecode Online Cake Ordering System supplier.php sql injection VDB-336382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710247 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/60 https://itsourcecode.com/ |
| itsourcecode–Online Cake Ordering System | A flaw has been found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown part of the file /cakeshop/product.php. Executing manipulation of the argument Product can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14650 | VDB-336383 | itsourcecode Online Cake Ordering System product.php sql injection VDB-336383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710248 | tsourcecode Online Cake Ordering System Online Cake Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/61 https://itsourcecode.com/ |
| itsourcecode–Online Cake Ordering System | A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This issue affects some unknown processing of the file /admindetail.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-14 | 7.3 | CVE-2025-14652 | VDB-336385 | itsourcecode Online Cake Ordering System admindetail.php sql injection VDB-336385 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712648 | itsourcecode Online Cake Ordering System V1.0 sql https://github.com/moonrains/test/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /addrecord.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 7.3 | CVE-2025-14653 | VDB-336386 | itsourcecode Student Management System addrecord.php sql injection VDB-336386 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712651 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/moonrains/content/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Managemen System | A vulnerability has been found in itsourcecode Student Managemen System 1.0. Affected by this issue is some unknown functionality of the file /advisers.php. Such manipulation of the argument sy leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14661 | VDB-336393 | itsourcecode Student Managemen System advisers.php sql injection VDB-336393 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713742 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/27 https://itsourcecode.com/ |
| Campcodes–Supplier Management System | A vulnerability was identified in Campcodes Supplier Management System 1.0. This issue affects some unknown processing of the file /admin/view_unit.php. The manipulation of the argument chkId[] leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-14 | 7.3 | CVE-2025-14664 | VDB-336396 | Campcodes Supplier Management System view_unit.php sql injection VDB-336396 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714163 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/3 https://www.campcodes.com/ |
| itsourcecode–COVID Tracking System | A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 7.3 | CVE-2025-14666 | VDB-336398 | itsourcecode COVID Tracking System page sql injection VDB-336398 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714786 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/bardminx/Lonlydance/issues/2 https://itsourcecode.com/ |
| itsourcecode–COVID Tracking System | A security vulnerability has been detected in itsourcecode COVID Tracking System 1.0. The impacted element is an unknown function of the file /admin/?page=system_info. Such manipulation of the argument meta_value leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 7.3 | CVE-2025-14667 | VDB-336399 | itsourcecode COVID Tracking System page sql injection VDB-336399 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714805 | itourcecode COVID Tracking System V1.0 SQL Injection https://github.com/bardminx/Lonlydance/issues/3 https://itsourcecode.com/ |
| campcodes–Advanced Online Examination System | A vulnerability was detected in campcodes Advanced Online Examination System 1.0. This affects an unknown function of the file /query/loginExe.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14668 | VDB-336400 | campcodes Advanced Online Examination System loginExe.php sql injection VDB-336400 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714806 | campcodes Advanced Online Examination System V1.0 SQL Injection https://github.com/gravity123123/CVE/issues/1 https://www.campcodes.com/ |
| gmg137–snap7-rs | A flaw has been found in gmg137 snap7-rs up to 1.142.1. This impacts the function TSnap7MicroClient::opWriteArea of the file s7_micro_client.cpp. Executing manipulation can lead to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14672 | VDB-336401 | gmg137 snap7-rs s7_micro_client.cpp opWriteArea heap-based overflow VDB-336401 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H8E |
| gmg137–snap7-rs | A vulnerability has been found in gmg137 snap7-rs up to 1.142.1. Affected is the function snap7_rs::client::S7Client::as_ct_write of the file /tests/snap7-rs/src/client.rs. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14673 | VDB-336402 | gmg137 snap7-rs client.rs as_ct_write heap-based overflow VDB-336402 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H74 |
| n/a–Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 | Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code. | 2025-12-10 | 7.6 | CVE-2025-24857 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-01 |
| Infinera–MTC-9 | Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 7.5 | CVE-2025-26488 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-26488 |
| Siemens–COMOS V10.6 | A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack. | 2025-12-09 | 7.4 | CVE-2025-40800 | https://cert-portal.siemens.com/productcert/html/ssa-868571.html https://cert-portal.siemens.com/productcert/html/ssa-212953.html |
| Siemens–SIDOOR ATD430W | Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to interfere with connection setup, potentially leading to a denial of service. The attack succeeds only if an attacker can inject IP packets with spoofed addresses at precisely timed moments, and it affects only TCP-based services. | 2025-12-09 | 7.5 | CVE-2025-40820 | https://cert-portal.siemens.com/productcert/html/ssa-915282.html |
| Siemens–Simcenter Femap | A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146) | 2025-12-12 | 7.8 | CVE-2025-40829 | https://cert-portal.siemens.com/productcert/html/ssa-512988.html |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41695 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41745 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41746 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41747 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41748 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41749 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41750 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41751 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41752 | https://certvde.com/en/advisories/VDE-2025-071/ |
| SAP_SE–SAP NetWeaver (remote service for Xcelsius) | SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality. | 2025-12-09 | 7.9 | CVE-2025-42874 | https://me.sap.com/notes/3640185 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP S/4 HANA Private Cloud (Financials General Ledger) | Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected. | 2025-12-09 | 7.1 | CVE-2025-42876 | https://me.sap.com/notes/3672151 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Web Dispatcher, Internet Communication Manager and SAP Content Server | SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability. This results in high impact on the availability with no impact on confidentiality or integrity of the application. | 2025-12-09 | 7.5 | CVE-2025-42877 | https://me.sap.com/notes/3677544 https://url.sap/sapsecuritypatchday |
| Dell–Dell Encryption | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access (‘Link Following’) vulnerability. A local malicious user could potentially exploit this vulnerability, leading to Elevation of privileges. | 2025-12-09 | 7.3 | CVE-2025-46637 | https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442 |
| Fortinet–FortiSandbox | An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests. | 2025-12-09 | 7 | CVE-2025-53949 | https://fortiguard.fortinet.com/psirt/FG-IR-25-479 |
| Microsoft–Windows 10 Version 1809 | Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
| Meta–react-server-dom-webpack | A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | 2025-12-11 | 7.5 | CVE-2025-55184 | https://www.facebook.com/security/advisories/cve-2025-55184 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
| Microsoft–Windows 11 Version 25H2 | Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-55233 | Windows Projected File System Elevation of Privilege Vulnerability |
| PowerDNS–Recursor | An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. | 2025-12-09 | 7.5 | CVE-2025-59030 | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html |
| Microsoft–Windows 10 Version 1809 | Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-59516 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-59517 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Fortinet–FortiVoice | Multiple Improper Limitations of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands | 2025-12-09 | 7.7 | CVE-2025-60024 | https://fortiguard.fortinet.com/psirt/FG-IR-25-812 |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62454 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62457 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62461 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62462 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62464 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62466 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
| Microsoft–Windows 11 Version 25H2 | Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62467 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62470 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62472 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62474 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| Microsoft–Microsoft Office 2019 | Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62552 | Microsoft Access Remote Code Execution Vulnerability |
| Microsoft–Microsoft Office 2019 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62553 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7 | CVE-2025-62555 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62556 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62558 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62559 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62560 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62561 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62563 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62564 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.3 | CVE-2025-62565 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. | 2025-12-09 | 7.1 | CVE-2025-62570 | Windows Camera Frame Server Monitor Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62571 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft–Windows Server 2025 (Server Core installation) | Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62572 | Application Information Service Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Fortinet–FortiWeb | A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number. | 2025-12-09 | 7.1 | CVE-2025-64447 | https://fortiguard.fortinet.com/psirt/FG-IR-25-945 |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.5 | CVE-2025-64658 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64661 | Windows Shell Elevation of Privilege Vulnerability |
| Microsoft–Microsoft Exchange Server 2019 Cumulative Update 15 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | 2025-12-09 | 7.5 | CVE-2025-64666 | Microsoft Exchange Server Elevation of Privilege Vulnerability |
| Microsoft–Windows Admin Center | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2025-12-11 | 7.8 | CVE-2025-64669 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64673 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64679 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft–Windows 10 Version 1809 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64680 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| Adobe–DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.8 | CVE-2025-64783 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe–DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.1 | CVE-2025-64784 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe–Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. | 2025-12-09 | 7.8 | CVE-2025-64785 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Adobe–DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.1 | CVE-2025-64893 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe–Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.8 | CVE-2025-64899 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64986 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-CheckSimpleIoC instruction. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64987 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-GetCmContentLocations instruction prior V19.2. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64988 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction prior V21.1. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64989 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| Windscribe–Windscribe for Linux Desktop App | A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the ‘adapterName’ parameter of the ‘changeMTU’ function. Fixed in Windscribe v2.18.3-alpha and v2.18.8. | 2025-12-10 | 7.8 | CVE-2025-65199 | url url url url url url |
| wearefrank–ladybug | Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628. | 2025-12-09 | 7 | CVE-2025-66214 | https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f |
| Huawei–HarmonyOS | Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 7.1 | CVE-2025-66327 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| 1Panel-dev–1Panel | 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14. | 2025-12-09 | 7.5 | CVE-2025-66507 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-qmg5-v42x-qqhq https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.14 |
| ImageMagick–ImageMagick | ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10. | 2025-12-10 | 7.5 | CVE-2025-66628 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8 https://github.com/dlemstra/Magick.NET/commit/2dfa08e15cfd11016a79615994787b14f9048b1c |
| zauberzeug–nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0. | 2025-12-09 | 7.5 | CVE-2025-66645 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366 https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9 |
| Zoom Communications Inc.–Zoom Rooms | Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access. | 2025-12-10 | 7.8 | CVE-2025-67460 | https://www.zoom.com/en/trust/security-bulletin/zsb-25050 |
| siyuan-note–siyuan | SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0. | 2025-12-09 | 7.8 | CVE-2025-67488 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366 https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190 |
| langchain-ai–langgraph | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1. | 2025-12-10 | 7.3 | CVE-2025-67644 | https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a |
| shopware–shopware | Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1. | 2025-12-10 | 7.1 | CVE-2025-67648 | https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2 https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 |
| tornadoweb–tornado | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server’s event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3. | 2025-12-12 | 7.5 | CVE-2025-67725 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64 https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| tornadoweb–tornado | Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server’s CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado’s single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3. | 2025-12-12 | 7.5 | CVE-2025-67726 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8 https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| Meta–react-server-dom-parcel | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | 2025-12-11 | 7.5 | CVE-2025-67779 | https://www.facebook.com/security/advisories/cve-2025-67779 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| JBL–Flip 5 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. | 2025-12-10 | 6.5 | CVE-2024-2105 | https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0002.json https://certvde.com/en/advisories/VDE-2025-089 |
| Fortinet–FortiProxy | An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration). | 2025-12-09 | 6.3 | CVE-2024-47570 | https://fortiguard.fortinet.com/psirt/FG-IR-24-268 |
| themefusecom–Brizy Page Builder | The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators. | 2025-12-13 | 6.5 | CVE-2025-0969 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5987ef13-15d6-4ecf-894c-f22c8726402b?source=cve https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/api.php#L961 https://wordpress.org/plugins/brizy/#developers https://plugins.trac.wordpress.org/changeset/3392844 |
| fernandobt–List category posts | The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-11 | 6.5 | CVE-2025-10163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21708205-dd43-4b22-9151-bc6f882422cb?source=cve https://plugins.trac.wordpress.org/browser/list-category-posts/tags/0.91.0/include/lcp-parameters.php#L240 |
| Grassroots–DICOM (GDCM) | An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition. | 2025-12-12 | 6.6 | CVE-2025-11266 | https://github.com/malaterre/GDCM/releases/tag/v3.2.2 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-345-01.json |
| extendthemes–Colibri Page Builder | The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘colibri_loop’ shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-11376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377192%40colibri-page-builder&new=3377192%40colibri-page-builder&sfp_email=&sfph_mail= |
| jbrinley–Mailgun Subscriptions | The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘mailgun_subscription_form’ shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-11876 | https://www.wordfence.com/threat-intel/vulnerabilities/id/149e60cc-9612-4651-b02d-4b68a3533d36?source=cve https://plugins.trac.wordpress.org/browser/mailgun-subscriptions/tags/1.2.0/Mailgun_Subscriptions/Subscription_Form.php#L101 https://github.com/flightless/mailgun-subscriptions/pull/8/commits/a8b597e3a09f3a1b76436d09de434fd9bfe29f64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3413662%40mailgun-subscriptions&new=3413662%40mailgun-subscriptions&sfp_email=&sfph_mail= |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions. | 2025-12-11 | 6.8 | CVE-2025-11984 | GitLab Issue #577847 HackerOne Bug Bounty Report #3322714 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| f1logic–Social Media Auto Publish | The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-13 | 6.1 | CVE-2025-12076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae682a-c048-427c-abf8-3ecbccc9c95c?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412065%40social-media-auto-publish&new=3412065%40social-media-auto-publish&sfp_email=&sfph_mail= |
| f1logic–WP to LinkedIn Auto Publish | The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-13 | 6.1 | CVE-2025-12077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b680132a-f397-4636-98b2-bcd8c168e822?source=cve https://plugins.trac.wordpress.org/browser/linkedin-auto-publish/trunk/js/notice.js https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412103%40linkedin-auto-publish&new=3412103%40linkedin-auto-publish&sfp_email=&sfph_mail= |
| mahethekiller–Header Footer Script Adder Insert Code in Header, Body & Footer | The Header Footer Script Adder – Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-12109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cab034fd-4cf2-4253-bbcd-c8bb86325fa8?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388587%40header-and-footer-script-adder&new=3388587%40header-and-footer-script-adder&sfp_email=&sfph_mail= |
| wpvibes–Addon Elements for Elementor (formerly Elementor Addon Elements) | The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via multiple widget parameters in pages that will execute whenever a user accesses an injected page. | 2025-12-14 | 6.4 | CVE-2025-12537 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94217d06-21c2-443d-ae2c-a2dbd65b7908?source=cve https://plugins.trac.wordpress.org/changeset/3415227/addon-elements-for-elementor-page-builder/trunk/assets/js/eae.js |
| sgcoskey–Simple post listing | The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | 2025-12-12 | 6.4 | CVE-2025-12650 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dfdebeab-89f6-49b8-a38f-de2a8df7a7e8?source=cve https://plugins.trac.wordpress.org/browser/simple-post-listing/tags/0.2/simple-post-listing.php#L77 |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (application crash) via a crafted command, resulting in service termination. | 2025-12-11 | 6.5 | CVE-2025-12687 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| wpdive–Better Addons for Elementor | The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-12830 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d714d740-d7e0-49fd-af08-b4a80c9d0599?source=cve https://wordpress.org/plugins/better-elementor-addons/ https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style1.php#L19 https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style2.php#L17 https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style5.php#L12 |
| zealopensource–Accept Stripe Payments Using Contact Form 7 | The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘failure_message’ parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-12834 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9e77e3f-dcd8-426a-be0f-24eb65c6709e?source=cve https://plugins.trac.wordpress.org/browser/accept-stripe-payments-using-contact-form-7/tags/3.1/inc/lib/class.cf7sa.lib.php#L696 |
| iworks–Simple CSV Table | The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2025-12-12 | 6.5 | CVE-2025-12960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff9abb4-2b25-4bbb-86b4-fb1ba37e122f?source=cve https://plugins.trac.wordpress.org/browser/simple-csv-table/tags/1.0.1/simple-csv-table.php#L71 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403210%40simple-csv-table&new=3403210%40simple-csv-table&sfp_email=&sfph_mail= |
| nalam-1–Magical Posts Display Elementor Advanced Posts widgets | The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mpac_title_tag’ parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-12965 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8352400f-fea1-486d-872a-66340300cee9?source=cve https://wordpress.org/plugins/magical-posts-display/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407965%40magical-posts-display&new=3407965%40magical-posts-display&sfp_email=&sfph_mail=#file34 |
| wpusermanager–WP User Manager User Profile Builder & Membership | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP’s filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the ‘current_user_avatar’ parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled. | 2025-12-12 | 6.8 | CVE-2025-13320 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70 https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75 https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86 |
| Altera–Quartus Prime Pro | Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists. | 2025-12-11 | 6.7 | CVE-2025-13663 | https://www.altera.com/security/security-advisory/asa-0001 |
| Altera–Quartus Prime Standard | A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege. | 2025-12-11 | 6.7 | CVE-2025-13664 | https://www.altera.com/security/security-advisory/asa-0002 |
| Altera–Quartus Prime Standard | The System Console Utility for Windows is vulnerable to a DLL planting vulnerability | 2025-12-12 | 6.7 | CVE-2025-13665 | https://www.altera.com/security/security-advisory/asa-0002 |
| Altera–Quartus Prime Pro | A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege. | 2025-12-11 | 6.7 | CVE-2025-13668 | https://www.altera.com/security/security-advisory/asa-0001 |
| Altera–High Level Synthesis Compiler | Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking. This issue affects High Level Synthesis Compiler: from 19.1 through 24.3. | 2025-12-12 | 6.7 | CVE-2025-13669 | https://www.altera.com/security/security-advisory/asa-0003 |
| Altera–High Level Synthesis Compiler | The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability | 2025-12-12 | 6.7 | CVE-2025-13670 | https://www.altera.com/security/security-advisory/asa-0003 |
| blakelong–Custom Frames | The Custom Frames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter of the ‘customframe’ shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-13705 | https://www.wordfence.com/threat-intel/vulnerabilities/id/56f3aa7a-a6f2-42c7-b855-b083fe58f466?source=cve https://plugins.trac.wordpress.org/browser/custom-frames/trunk/class.customframes.php#L65 https://plugins.trac.wordpress.org/browser/custom-frames/tags/1.0.1/class.customframes.php#L65 |
| ice00–NewStatPress | The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060?source=cve https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php#L637 |
| jenyay–LJUsers | The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter of the ‘ljuser’ shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13839 | https://www.wordfence.com/threat-intel/vulnerabilities/id/841adf53-930a-4286-96d0-9ee8b0c188c4?source=cve https://plugins.trac.wordpress.org/browser/ljusers/trunk/ljusers.php#L194 https://plugins.trac.wordpress.org/browser/ljusers/tags/1.2.0/ljusers.php#L194 |
| bobvanoorschot–BUKAZU Search widget | The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode’ parameter of the ‘bukazu_search’ shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13840 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a666d0e4-4fa7-4794-b270-afbccf5036c6?source=cve https://plugins.trac.wordpress.org/browser/bukazu-search-widget/trunk/bukazu-widget.php#L277 https://plugins.trac.wordpress.org/browser/bukazu-search-widget/tags/3.3.2/bukazu-widget.php#L277 |
| susantabeura–VigLink SpotLight By ShortCode | The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘float’ parameter of the ‘spotlight’ shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1275a8f-c9ac-4cb3-8aa2-1393ffcc9dc8?source=cve https://plugins.trac.wordpress.org/browser/viglink-spotlight-by-shortcode/trunk/spotlight.php#L20 https://plugins.trac.wordpress.org/browser/viglink-spotlight-by-shortcode/tags/1.0.a/spotlight.php#L20 |
| qrevo–Easy Map Creator | The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e185479-843c-4748-83e5-ae0b300c3fc7?source=cve https://plugins.trac.wordpress.org/browser/easy-map-creator/trunk/easy_map_creator.php#L139 https://plugins.trac.wordpress.org/browser/easy-map-creator/tags/3.0.2/easy_map_creator.php#L139 |
| ladislavsoukupgmailcom–LS Google Map Router | The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘map_type’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13850 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3581172-10d8-4b11-95f7-ee1835e29606?source=cve https://plugins.trac.wordpress.org/browser/ls-gmap-route/trunk/ls-gmap_route.php#L61 https://plugins.trac.wordpress.org/browser/ls-gmap-route/tags/1.1.0/ls-gmap_route.php#L61 |
| looks_awesome–Flow-Flow Social Feed Stream | The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings and store arbitrary JavaScript that executes whenever the plugin settings page is viewed. | 2025-12-12 | 6.4 | CVE-2025-13866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/065d01b6-30e0-4bc8-bd70-25996c2df879?source=cve https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/db/FFDBManager.php#L24 https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/FlowFlowActivator.php#L224 |
| buntegiraffe–Hide Email Address | The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inline_css’ parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13884 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a770ab37-127a-4018-9ffa-1b326d5a016e?source=cve https://plugins.trac.wordpress.org/browser/bg-hide-email-address/trunk/BgHideEmailAddress.php#L101 https://plugins.trac.wordpress.org/browser/bg-hide-email-address/tags/0.1/BgHideEmailAddress.php#L101 |
| imran3229–Zenost Shortcodes | The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ and ‘target’ parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c88d378a-6c58-4670-b0b6-0e0d51c39bd1?source=cve https://plugins.trac.wordpress.org/browser/zenost-shortcodes/trunk/inc/shortcodes.php#L25 https://plugins.trac.wordpress.org/browser/zenost-shortcodes/tags/1.0/inc/shortcodes.php#L25 |
| tmus–Simple Nivo Slider | The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13889 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c1c343c-ef16-4468-a983-0dc9fd152dd5?source=cve https://plugins.trac.wordpress.org/browser/simple-nivo-slider/tags/0.5.6/simple-nivo-slider.php#L208 https://plugins.trac.wordpress.org/browser/simple-nivo-slider/trunk/simple-nivo-slider.php#L208 |
| wpchill–Image Gallery Photo Grid & Video Gallery | The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint. | 2025-12-12 | 6.5 | CVE-2025-13891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L230 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L160 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L411 https://research.cleantalk.org/cve-2025-13891/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail= |
| lesion–WPGancio | The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘gancio-event’ shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/593fefe1-8813-440b-b8c7-fbfd5b71a737?source=cve https://plugins.trac.wordpress.org/browser/wpgancio/trunk/wc.php#L33 https://plugins.trac.wordpress.org/browser/wpgancio/tags/1.12/wc.php#L33 |
| ysh–WP Flot | The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘linechart’ shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4905ca1-3096-45c5-838b-1237888fb969?source=cve https://plugins.trac.wordpress.org/browser/wp-flot/trunk/wpflot.php#L101 https://plugins.trac.wordpress.org/browser/wp-flot/tags/0.2.2/wpflot.php#L101 |
| davidkeen–GPXpress | The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘gpxpress’ shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2bf5c47-11e6-462d-a671-3f5e94e9e7e5?source=cve https://plugins.trac.wordpress.org/browser/gpxpress/trunk/includes/Gpxpress.php#L152 https://plugins.trac.wordpress.org/browser/gpxpress/tags/1.3/includes/Gpxpress.php#L152 |
| subhransu-sekhar–Data Visualizer | The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘visualize’ shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13961 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac7aeb6a-4e41-4301-8e79-ffe1468c0940?source=cve https://plugins.trac.wordpress.org/browser/data-visualizer/trunk/data-visualizer.php#L92 https://plugins.trac.wordpress.org/browser/data-visualizer/tags/1.1/data-visualizer.php#L92 |
| klemmkeil–Divelogs Widget | The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘latestdive’ shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13962 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb3378a-d3e8-4a31-9ed2-f580960878cf?source=cve https://plugins.trac.wordpress.org/browser/divelogs-widget/trunk/divelogs-widget.php#L51 https://plugins.trac.wordpress.org/browser/divelogs-widget/tags/1.5/divelogs-widget.php#L51 https://plugins.trac.wordpress.org/changeset/3415821/ |
| falselight–FX Currency Converter | The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘fxcc_convert’ shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13963 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d01a7887-afd7-418b-99ad-92157582a506?source=cve https://plugins.trac.wordpress.org/browser/fx-currency-converter/trunk/includes/shortcode.php#L57 https://plugins.trac.wordpress.org/browser/fx-currency-converter/tags/0.2.0/includes/shortcode.php#L57 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415819%40fx-currency-converter&new=3415819%40fx-currency-converter&sfp_email=&sfph_mail= |
| sonlamtn200–Paypal Payment Shortcode | The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buttom_image’ parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13966 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0b1fbb1-fc2c-4eb9-89c6-364ca8c385db?source=cve https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L10 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L10 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L55 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L55 |
| eurisko–Reviews Sorted | The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘space’ parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13969 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74e790e7-60fd-45cd-942f-0f24365d7fc8?source=cve https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/functions/do.php#L138 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/functions/do.php#L138 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-1.php#L30 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-1.php#L30 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-2.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-2.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-3.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-3.php#L23 |
| thobian– | The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER[‘PHP_SELF’]` variable in the plugin’s settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-13988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173 https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173 |
| nazsabuz–WP Dropzone | The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘callback’ shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied ‘callback’ attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13989 | https://www.wordfence.com/threat-intel/vulnerabilities/id/23953909-4836-4226-b00b-eb0e24cc3ad7?source=cve https://plugins.trac.wordpress.org/browser/wp-dropzone/trunk/includes/class-plugin.php#L303 https://plugins.trac.wordpress.org/browser/wp-dropzone/trunk/js/wp-dropzone.js#L86 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.1/includes/class-plugin.php#L303 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.1/js/wp-dropzone.js#L86 |
| soportecibeles–AI Feeds | The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aife_post_meta’ shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14030 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58 https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail= |
| boldthemes–Bold Timeline Lite | The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in the ‘bold_timeline_group’ shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14032 | https://www.wordfence.com/threat-intel/vulnerabilities/id/840fd950-3ce3-4068-b8bc-270f168a5091?source=cve https://wordpress.org/plugins/bold-timeline-lite https://plugins.trac.wordpress.org/browser/bold-timeline-lite/trunk/assets/views/bold_timeline_group_view.php#L79 https://plugins.trac.wordpress.org/browser/bold-timeline-lite/tags/1.2.7/assets/views/bold_timeline_group_view.php#L79 |
| e4jvikwp–VikRentItems Flexible Rental Management System | The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘delto’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14049 | https://www.wordfence.com/threat-intel/vulnerabilities/id/51b56dc5-0d2d-4fa9-872c-4193f61c165f?source=cve https://plugins.trac.wordpress.org/browser/vikrentitems/trunk/site/views/deliverymap/tmpl/default.php#L277 https://plugins.trac.wordpress.org/browser/vikrentitems/tags/1.2.0/site/views/deliverymap/tmpl/default.php#L277 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414595%40vikrentitems&new=3414595%40vikrentitems&sfp_email=&sfph_mail= |
| cytechltd–BuddyTask | The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of. | 2025-12-12 | 6.5 | CVE-2025-14064 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666 https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840 https://plugins.trac.wordpress.org/changeset/3416754/ |
| themebon–App Landing Template Blocks for WPBakery (Visual Composer) Page Builder | The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘atvc_video_play’ shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14119 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c440ae0-311d-4d0a-a216-7641c2a80669?source=cve https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/trunk/modules/video-play.php#L58 https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/tags/2.0.2/modules/video-play.php#L58 |
| andru1–Complag | The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14125 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bdae07c-cb80-4566-9b90-7b144c6ceeb0?source=cve https://plugins.trac.wordpress.org/browser/omplag/trunk/complag.php#L37 https://plugins.trac.wordpress.org/browser/omplag/tags/1.0.2/complag.php#L37 |
| wasiul99–Like DisLike Voting | The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25dfa483-26c6-43d1-9a24-9ea245b54f4c?source=cve https://wordpress.org/plugins/like-dislike-voting/ https://plugins.trac.wordpress.org/browser/like-dislike-voting/trunk/files/function.php#L76 https://plugins.trac.wordpress.org/browser/like-dislike-voting/tags/1.0.1/files/function.php#L76 |
| pandikamal03–Category Dropdown List | The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14132 | https://www.wordfence.com/threat-intel/vulnerabilities/id/baac847b-3c5e-44c4-bccf-fcbde1adf37f?source=cve https://plugins.trac.wordpress.org/browser/dropdown-category-list/trunk/settings.php#L11 https://plugins.trac.wordpress.org/browser/dropdown-category-list/tags/1.0/settings.php#L11 |
| alexdtn–Simple AL Slider | The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e12e2ba1-fc4f-4ad0-80da-3504ef1e13d3?source=cve https://wordpress.org/plugins/simple-al-slider/ https://plugins.trac.wordpress.org/browser/simple-al-slider/trunk/templates/admin/header.tpl#L46 https://plugins.trac.wordpress.org/browser/simple-al-slider/tags/1.2.10/templates/admin/header.tpl#L46 |
| wpletsgo–WPLG Default Mail From | The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fd24b087-83a7-4f9a-8f7a-1bd94332c1f7?source=cve https://plugins.trac.wordpress.org/browser/wplg-default-mail-from/trunk/wplg.php#L134 https://plugins.trac.wordpress.org/browser/wplg-default-mail-from/tags/1.0.0/wplg.php#L134 |
| ayothemes–Ayo Shortcodes | The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘color’ parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1760fe6e-8153-4479-ae32-2e2f0fa54e12?source=cve https://plugins.trac.wordpress.org/browser/ayo-shortcodes/trunk/includes/ayo-shortcodes-functions.php#L66 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/trunk/includes/ayo-shortcodes-functions.php#L55 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/tags/0.2/includes/ayo-shortcodes-functions.php#L55 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/tags/0.2/includes/ayo-shortcodes-functions.php#L66 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters. | 2025-12-11 | 6.5 | CVE-2025-14157 | GitLab Issue #574324 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| SourceCodester–Online Student Clearance System | A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 6.5 | CVE-2025-14206 | VDB-334649 | SourceCodester Online Student Clearance System Fee Table delete-fee.php improper authorization VDB-334649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700465 | Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control https://github.com/rassec2/dbcve/issues/8 https://www.sourcecodester.com/ |
| D-Link–DIR-823X | A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-08 | 6.3 | CVE-2025-14208 | VDB-334651 | D-Link DIR-823X set_wan_settings sub_415028 command injection VDB-334651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700499 | D-Link DIR-823X 250416 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dir-823x/set_wan_settings.md https://github.com/panda666-888/vuls/blob/main/d-link/dir-823x/set_wan_settings.md#poc https://www.dlink.com/ |
| itsourcecode–Student Information System | A vulnerability has been found in itsourcecode Student Information System 1.0. This affects an unknown part of the file /section_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 6.3 | CVE-2025-14214 | VDB-334656 | itsourcecode Student Information System section_edit1.php sql injection VDB-334656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700986 | itsourcecode Student Information System V1.0 SQL Injection Submit #700987 | itsourcecode Student Information System V1.0 SQL Injection (Duplicate) https://github.com/ltranquility/CVE/issues/15 https://itsourcecode.com/ |
| code-projects–Employee Profile Management System | A flaw has been found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file /print_personnel_report.php. This manipulation of the argument per_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-08 | 6.3 | CVE-2025-14222 | VDB-334664 | code-projects Employee Profile Management System print_personnel_report.php sql injection VDB-334664 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701636 | code-projects Employee Profile Management System Project V1 print_personnel_report.php SQL injection V1 SQL Injection https://github.com/tiancesec/CVE/issues/14 https://code-projects.org/ |
| D-Link–DCS-930L | A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 6.3 | CVE-2025-14225 | VDB-334667 | D-Link DCS-930L alphapd setSystemAdmin command injection VDB-334667 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701774 | D-Link DCS930L v1.15.04 Command Injection https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-1/D-Link%20Vulnerability.md https://www.dlink.com/ |
| Philipinho–Simple-PHP-Blog | A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 6.3 | CVE-2025-14227 | VDB-334669 | Philipinho Simple-PHP-Blog edit.php sql injection VDB-334669 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701826 | Philip Okugbe Simple-PHP-Blog v1.0 SQL Injection https://github.com/woshinenbaba/CVE-/issues/1 |
| code-projects–Daily Time Recording System | A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. The impacted element is an unknown function of the file /admin/add_payroll.php. Performing manipulation of the argument detail_Id results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 6.3 | CVE-2025-14230 | VDB-334672 | code-projects Daily Time Recording System add_payroll.php sql injection VDB-334672 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702426 | code projects Daily Time Recording System V4.5.0 SQL Injection https://github.com/woshilaiyi/cve/issues/6 https://code-projects.org/ |
| code-projects–Simple Shopping Cart | A vulnerability was found in code-projects Simple Shopping Cart 1.0. This vulnerability affects unknown code of the file /Customers/settings.php. Performing manipulation of the argument user_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-08 | 6.3 | CVE-2025-14246 | VDB-334756 | code-projects Simple Shopping Cart settings.php sql injection VDB-334756 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702461 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/90 https://code-projects.org/ |
| code-projects–Simple Shopping Cart | A vulnerability was determined in code-projects Simple Shopping Cart 1.0. This issue affects some unknown processing of the file /Admin/additems.php. Executing manipulation of the argument item_name can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 6.3 | CVE-2025-14247 | VDB-334757 | code-projects Simple Shopping Cart additems.php sql injection VDB-334757 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702463 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/91 https://code-projects.org/ |
| Galaxy Software Services–Vitals ESP | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-12-08 | 6.5 | CVE-2025-14254 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| Galaxy Software Services–Vitals ESP | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-12-08 | 6.5 | CVE-2025-14255 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| Jihai–Jshop MiniProgram Mall System | A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 6.3 | CVE-2025-14259 | VDB-334765 | Jihai Jshop MiniProgram Mall System api.html sql injection VDB-334765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702613 | https://www.jihainet.com Jshop MiniProgram Mall System V2.9.0 SQL Injection http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/Jshop/Jshop.html |
| htplugins–HT Slider For Elementor | The HT Slider for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slide_title’ parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-14278 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af580e5a-a9da-4516-b612-b544dc73cf23?source=cve https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/assets/js/htslider-widgets.js#L223 https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/include/addons/htslider_scroll_navigation.php#L1397 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415988%40ht-slider-for-elementor&new=3415988%40ht-slider-for-elementor#file1 |
| n/a–@tiptap/extension-link | Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction. | 2025-12-09 | 6.1 | CVE-2025-14284 | https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197 https://gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712ec6e1f https://github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaed https://github.com/ueberdosis/tiptap/releases/tag/v2.10.4 |
| wpjobportal–WP Job Portal AI-Powered Recruitment System for Company or Job Board website | The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the ‘downloadCustomUploadedFile’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-12-11 | 6.5 | CVE-2025-14293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908 |
| awanhrp–Wpik WordPress Basic Ajax Form | The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘dname’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14393 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bc6508b-f646-4d52-bc8d-bdac443ed2fe?source=cve https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L84 https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L85 https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L107 https://developer.wordpress.org/plugins/security/data-validation/ https://developer.wordpress.org/plugins/security/securing-output/ https://cwe.mitre.org/data/definitions/79.html |
| ghozylab–Popup Builder | The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset plugin settings to their default values. | 2025-12-13 | 6.5 | CVE-2025-14446 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f67ab0cf-340d-4234-a857-1883f91c3ab6?source=cve https://plugins.trac.wordpress.org/browser/easy-notify-lite/trunk/inc/functions/enoty-functions.php#L304 https://plugins.trac.wordpress.org/browser/easy-notify-lite/tags/1.1.37/inc/functions/enoty-functions.php#L304 |
| yalogica–MediaCommander Bring Folders to Media, Posts, and Pages | The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users. | 2025-12-13 | 6.5 | CVE-2025-14508 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2?source=cve https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.php#L127 https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.php#L793 https://plugins.trac.wordpress.org/changeset/3417928/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib’s GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. | 2025-12-11 | 6.5 | CVE-2025-14512 | https://access.redhat.com/security/cve/CVE-2025-14512 RHBZ#2421339 |
| Yalantis–uCrop | A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 6.3 | CVE-2025-14516 | VDB-335854 | Yalantis uCrop URL com.yalantis.ucrop.task.BitmapLoadTask.java downloadFile server-side request forgery VDB-335854 | CTI Indicators (IOB, IOC, IOA) Submit #702810 | uCrop Android Library 2.2.11 Server-Side Request Forgery https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446 https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?pvs=25#039fe30a92dc4ed88c9b03f85418e92e |
| n/a–PowerJob | A vulnerability was identified in PowerJob up to 5.1.2. This vulnerability affects the function checkConnectivity of the file src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java of the component Network Request Handler. The manipulation of the argument targetIp/targetPort leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-11 | 6.3 | CVE-2025-14518 | VDB-335856 | PowerJob Network Request PingPongUtils.java checkConnectivity server-side request forgery VDB-335856 | CTI Indicators (IOB, IOC, IOA) Submit #702896 | PoweJob PowerJob <=5.1.2 SSRF https://github.com/PowerJob/PowerJob/issues/1144 https://github.com/PowerJob/PowerJob/issues/1144#issue-3673393002 |
| baowzh–hfly | A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 6.3 | CVE-2025-14522 | VDB-335860 | baowzh hfly upload_json.php unrestricted upload VDB-335860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702950 | GitHub hfly 1.0 Stored Cross-Site Scripting https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20upload_json.php%20imgFile%20XSS-File-Upload.md |
| haxxorsid–Stock-Management-System | A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-12 | 6.3 | CVE-2025-14568 | VDB-336192 | haxxorsid Stock-Management-System User.php sql injection VDB-336192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703880 | haxxorsid stock-management-system 1.0 SQL Injection https://github.com/ixpqxi/CVE_LIST/blob/master/stock_management_system/sql_injection_vulnerability.md |
| TOTOLINK–X5000R | A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-13 | 6.3 | CVE-2025-14586 | VDB-336206 | TOTOLINK X5000R cstecgi.cgi snprintf os command injection VDB-336206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705593 | TOTOLINK X5000R v9.1.0cu.2089_B20211224 RCE https://github.com/awigwu76/TOTOLINK_X5000R/blob/main/1.md https://www.totolink.net/ |
| code-projects–Prison Management System | A weakness has been identified in code-projects Prison Management System 2.0. This issue affects some unknown processing of the file /admin/search.php. Executing manipulation of the argument keyname can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 6.3 | CVE-2025-14589 | VDB-336209 | code-projects Prison Management System search.php sql injection VDB-336209 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707094 | Yunlin: code-projects Prison Management System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL18.md https://code-projects.org/ |
| OFFIS–DCMTK | A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component. | 2025-12-13 | 6.3 | CVE-2025-14607 | VDB-336283 | OFFIS DCMTK dcmdata dcbytstr.cc makeDicomByteString memory corruption VDB-336283 | CTI Indicators (IOB, IOC, IOA) Submit #705036 | OFFIS DCMTK 3.6.9 Buffer Overflow https://support.dcmtk.org/redmine/issues/1184 https://support.dcmtk.org/redmine/projects/dcmtk/activity?from=2025-12-02 https://github.com/DCMTK/dcmtk/commit/4c0e5c10079392c594d6a7abd95dd78ac0aa556a https://support.dcmtk.org/redmine/versions/19 |
| aizuda–snail-job | A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded. | 2025-12-14 | 6.3 | CVE-2025-14674 | VDB-336403 | aizuda snail-job QLExpressEngine.java QLExpressEngine.doEval injection VDB-336403 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/aizuda/snail-job/issues/ICNUG0 https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86 https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1 |
| Infinera–MTC-9 | Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash the service and reboot the appliance, thus causing a DoS condition, via crafted XML payloads. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 6.5 | CVE-2025-26489 | https://www.cve.org/CVERecord?id=CVE-2025-26489 |
| IBM–Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input. | 2025-12-08 | 6.5 | CVE-2025-36015 | https://www.ibm.com/support/pages/node/7253273 |
| IBM–Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user. | 2025-12-08 | 6.5 | CVE-2025-36017 | https://www.ibm.com/support/pages/node/7253283 |
| IBM–watsonx.data | IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits. | 2025-12-08 | 6.5 | CVE-2025-36140 | https://www.ibm.com/support/pages/node/7253932 |
| Siemens–Gridscale X Prepay | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to capture-replay of authentication tokens. This could allow an authenticated but already locked-out user to establish still valid user sessions. | 2025-12-09 | 6.3 | CVE-2025-40807 | https://cert-portal.siemens.com/productcert/html/ssa-356310.html |
| Siemens–SINEC Security Monitor | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). The affected application does not have proper authorization checks for the file_transfer feature in ssmctl-client command. This could allow an authenticated, lowly privileged local attacker to read or write to any file on server or sensor. | 2025-12-09 | 6.7 | CVE-2025-40830 | https://cert-portal.siemens.com/productcert/html/ssa-882673.html |
| Siemens–SINEC Security Monitor | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). The affected application lacks input validation of date parameter in report generation functionality. This could allow an authenticated, lowly privileged attacker to cause denial of service condition of the report functionality. | 2025-12-09 | 6.5 | CVE-2025-40831 | https://cert-portal.siemens.com/productcert/html/ssa-882673.html |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | 2025-12-11 | 6.5 | CVE-2025-4097 | GitLab Issue #538192 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| Phoenix Contact–FL SWITCH 2005 | A high privileged remote attacker with admin privileges for the webUI can brute-force the “root” and “user” passwords of the underlying OS due to a weak password generation algorithm. | 2025-12-09 | 6.8 | CVE-2025-41692 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver. | 2025-12-09 | 6.5 | CVE-2025-41694 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692. | 2025-12-09 | 6.8 | CVE-2025-41697 | https://certvde.com/de/advisories/VDE-2025-071 |
| SAP_SE–SAP NetWeaver Enterprise Portal | Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, and other sensitive information. As a result, the vulnerability has a low impact on confidentiality and integrity and no impact on availability. | 2025-12-09 | 6.1 | CVE-2025-42872 | https://me.sap.com/notes/3662622 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP NetWeaver Internet Communication Framework | The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application. | 2025-12-09 | 6.6 | CVE-2025-42875 | https://me.sap.com/notes/3591163 https://url.sap/sapsecuritypatchday |
| SAP_SE–Application Server ABAP | Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability. | 2025-12-09 | 6.5 | CVE-2025-42904 | https://me.sap.com/notes/3662324 https://url.sap/sapsecuritypatchday |
| Dell–Dell Encryption | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access (‘Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2025-12-09 | 6.6 | CVE-2025-46636 | https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442 |
| Fortinet–FortiSandbox Cloud | An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in Fortinet FortiSandbox version 5.0.0 through 5.0.2 and before 4.4.7 GUI allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests. | 2025-12-09 | 6.9 | CVE-2025-53679 | https://fortiguard.fortinet.com/psirt/FG-IR-25-454 |
| Fortinet–FortiPortal | An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests. | 2025-12-09 | 6.4 | CVE-2025-54838 | https://fortiguard.fortinet.com/psirt/FG-IR-25-032 |
| Fortinet–FortiSOAR on-premise | An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim’s user account to reset the account credentials without being prompted for the account’s password | 2025-12-09 | 6.5 | CVE-2025-59808 | https://fortiguard.fortinet.com/psirt/FG-IR-25-599 |
| Fortinet–FortiSOAR on-premise | An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests | 2025-12-09 | 6.2 | CVE-2025-59810 | https://fortiguard.fortinet.com/psirt/FG-IR-25-601 |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 6.8 | CVE-2025-61821 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 6.2 | CVE-2025-61822 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed. | 2025-12-09 | 6.2 | CVE-2025-61823 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Microsoft–Windows Server 2022 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | 2025-12-09 | 6.5 | CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft–Windows Server 2022 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | 2025-12-09 | 6.5 | CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft–Windows 10 Version 1809 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | 2025-12-09 | 6.5 | CVE-2025-62473 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability |
| Fortinet–FortiExtender | A improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request. | 2025-12-09 | 6.7 | CVE-2025-64153 | https://fortiguard.fortinet.com/psirt/FG-IR-25-739 |
| Fortinet–FortiVoice | An improper neutralization of special elements used in an sql command (‘sql injection’) vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests | 2025-12-09 | 6.8 | CVE-2025-64156 | https://fortiguard.fortinet.com/psirt/FG-IR-25-362 |
| Enalean–tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition. | 2025-12-08 | 6.5 | CVE-2025-64497 | https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254 https://tuleap.net/plugins/tracker/?aid=45583 |
| IBM–Storage Defender – Resiliency Service | IBM Storage Defender – Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files. | 2025-12-08 | 6.5 | CVE-2025-64650 | https://www.ibm.com/support/pages/node/7253864 |
| Microsoft–Windows Server 2022 | Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. | 2025-12-09 | 6.5 | CVE-2025-64670 | Windows DirectX Information Disclosure Vulnerability |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-LogoffUser instruction prior V21.1. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64990 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64991 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64992 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64993 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM. | 2025-12-11 | 6.5 | CVE-2025-64994 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer–DEX | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges. | 2025-12-11 | 6.5 | CVE-2025-64995 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| withastro–astro | Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8. | 2025-12-08 | 6.5 | CVE-2025-66202 | https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce |
| Huawei–HarmonyOS | Permission control vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 6.2 | CVE-2025-66325 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Race condition vulnerability in the audio module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 6.7 | CVE-2025-66326 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| zauberzeug–nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0. | 2025-12-08 | 6.1 | CVE-2025-66469 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8 |
| zauberzeug–nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue’s v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0. | 2025-12-09 | 6.1 | CVE-2025-66470 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2 https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3 |
| 1Panel-dev–1Panel | 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin’s default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14. | 2025-12-09 | 6.5 | CVE-2025-66508 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7cqv-qcq2-r765 https://github.com/1Panel-dev/1Panel/commit/94f7d78cc9768ee244da33e09408017d1f68b5ed |
| robrichards–xmlseclibs | xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises errors. | 2025-12-09 | 6 | CVE-2025-66578 | https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9 https://github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6 https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296 |
| containernetworking–plugins | The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability. | 2025-12-09 | 6.6 | CVE-2025-67499 | https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm https://github.com/containernetworking/plugins/pull/1210 https://github.com/containernetworking/plugins/releases/tag/v1.9.0 |
| Mayuri-Chan–pyrofork | Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram’s DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69. | 2025-12-11 | 6.5 | CVE-2025-67720 | https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95 |
| Exim–Exim | Exim before 4.99.1 allows remote heap corruption that will be further described on 2025-12-18. | 2025-12-14 | 6.4 | CVE-2025-67896 | https://www.openwall.com/lists/oss-security/2025/12/11/2 https://exim.org/static/doc/security/ |
| sparklewpthemes–Kingcabs | The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-7058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7d75851d-4dd5-4fb4-97bc-fc63575e483e?source=cve https://themes.trac.wordpress.org/browser/kingcabs/1.1.9/blocks-extends/blocks/progressbar.php#L44 https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=290354%40kingcabs&new=290354%40kingcabs&sfp_email=&sfph_mail= |
| kingaddons–King Addons for Elementor 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor | The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-7960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/57865837-470e-4afd-bb90-d203a78a210b?source=cve https://wordpress.org/plugins/king-addons/#developers |
| N/A–Vuetify | Improper neutralization of the title date in the ‘VDatePicker’ component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the ‘title-date-format’ property of the ‘VDatePicker’ can accept a user created function and assign its output to the ‘innerHTML’ property of the title element without sanitization. This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ . | 2025-12-12 | 6.3 | CVE-2025-8082 | https://www.herodevs.com/vulnerability-directory/cve-2025-8082 https://codepen.io/herodevs/pen/dPYGPyR/775285c0fd5a08038d4c85398815d644 |
| jetmonsters–JetWidgets For Elementor | The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Image Comparison and Subscribe widgets in all versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8195 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8a03f7-a028-401c-9088-77e75dd365f6?source=cve https://plugins.trac.wordpress.org/browser/jetwidgets-for-elementor/tags/1.0.20/includes/addons/jet-widgets-subscribe-form.php https://plugins.trac.wordpress.org/browser/jetwidgets-for-elementor/tags/1.0.20/includes/addons/jet-widgets-image-comparison.php https://wordpress.org/plugins/jetwidgets-for-elementor/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364453%40jetwidgets-for-elementor&new=3364453%40jetwidgets-for-elementor&sfp_email=&sfph_mail= |
| debuggersstudio–Marquee Addons for Elementor Advanced Elements & Modern Motion Widgets | The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8199 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab664bc5-ef3c-4e5a-99d5-e3f1bb240a70?source=cve https://wordpress.org/plugins/marquee-addons-for-elementor/#developers https://plugins.trac.wordpress.org/changeset/3349636 |
| yithemes–YITH WooCommerce Quick View | The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8617 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d44dcef-6330-4ef6-8385-923e88db669f?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-quick-view/trunk/includes/class.yith-wcqv-frontend.php#L216 https://wordpress.org/plugins/yith-woocommerce-quick-view https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3353775%40yith-woocommerce-quick-view&new=3353775%40yith-woocommerce-quick-view&sfp_email=&sfph_mail= |
| themelooks–Enter Addons Ultimate Template Builder for Elementor | The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd6c085-9fd8-43d9-b244-ab91146f610f?source=cve https://wordpress.org/plugins/enteraddons/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383539%40enteraddons&new=3383539%40enteraddons&sfp_email=&sfph_mail= |
| shamsbd71–All-in-One Addons for Elementor WidgetKit | The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8779 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dbbdf433-8589-4f5f-b73d-2dba58f684a7?source=cve https://wordpress.org/plugins/widgetkit-for-elementor/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378162%40widgetkit-for-elementor&new=3378162%40widgetkit-for-elementor&sfp_email=&sfph_mail= |
| livemesh–Livemesh SiteOrigin Widgets | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8780 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eae0783a-a409-4947-b837-aee219b4d445?source=cve https://wordpress.org/plugins/livemesh-siteorigin-widgets/#developers https://plugins.trac.wordpress.org/changeset/3390558/livemesh-siteorigin-widgets/trunk/includes/widgets/lsow-hero-image-widget/tpl/default.php https://plugins.trac.wordpress.org/changeset/3390558/livemesh-siteorigin-widgets/trunk/includes/widgets/lsow-pricing-table-widget/tpl/default.php |
| trustindex–Widgets for Google Reviews | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-11 | 6.4 | CVE-2025-9436 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803 |
| davidanderson–Redux Framework | The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9488 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cabf776d-8749-45a8-94c1-7d1eef93a183?source=cve https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.5.7/redux-core/inc/extensions/shortcodes/class-redux-shortcodes.php#L205 https://wordpress.org/plugins/redux-framework/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402803%40redux-framework&new=3402803%40redux-framework&sfp_email=&sfph_mail=#file22 |
| popupbuilder–Popup Builder Create highly converting, mobile friendly marketing popups. | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘sg_popup’ shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438 https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368 https://plugins.trac.wordpress.org/changeset/3384281 |
| a3rev–a3 Lazy Load | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9873 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d837229-52fa-42ae-b733-8fbeb444f110?source=cve https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L430 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377146%40a3-lazy-load&new=3377146%40a3-lazy-load&sfp_email=&sfph_mail= |
| Essential Plugin–Slider a SlidersPack | Missing Authorization vulnerability in Essential Plugin Slider a SlidersPack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Slider a SlidersPack: from n/a before 2.3. | 2025-12-09 | 5.3 | CVE-2022-46845 | https://vdp.patchstack.com/database/wordpress/plugin/sliderspack-all-in-one-image-sliders/vulnerability/wordpress-slider-a-sliderspack-image-slider-post-slider-acf-gallery-slider-plugin-2-0-2-broken-access-control?_s_id=cve |
| Brainstorm Force–Spectra | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through 2.3.0. | 2025-12-09 | 5.4 | CVE-2023-23729 | https://vdp.patchstack.com/database/wordpress/plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-contributor-recaptcha-settings-change-vulnerability?_s_id=cve |
| Fortinet–FortiPortal | A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate’s private key via the device’s admin shell. | 2025-12-11 | 5.9 | CVE-2024-40593 | https://fortiguard.fortinet.com/psirt/FG-IR-24-133 |
| HCL Software–Workload Scheduler | HCL Workload Scheduler stores user credentials in plain text which can be read by a local user. | 2025-12-11 | 5.5 | CVE-2024-42197 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127448 |
| wssoffice21–Filter & Grids | The Filter & Grids plugin for WordPress is vulnerable to SQL Injection via the ‘phrase’ parameter in all versions up to, and including, 3.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only works on MariaDB as the query results in a syntax error on MySQL. | 2025-12-13 | 5.9 | CVE-2025-10289 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bbab6e-ed2f-4b90-a658-aae85906d06e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378420%40ymc-smart-filter&new=3378420%40ymc-smart-filter&sfp_email=&sfph_mail= |
| TalentSoft Software–e-BAP Automation | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in TalentSoft Software e-BAP Automation allows Cross-Site Scripting (XSS). This issue affects e-BAP Automation: from 1.8.96 before v.41815. | 2025-12-09 | 5.3 | CVE-2025-10876 | https://www.usom.gov.tr/bildirim/tr-25-0434 |
| themeisle–RSS Aggregator by Feedzy Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-11 | 5.8 | CVE-2025-11467 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5754dce7-6b47-4490-a04a-7eabfded0720?source=cve https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L551 |
| webfactory–Login Lockdown & Protection | The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts. | 2025-12-13 | 5.3 | CVE-2025-11707 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c732ea2-0263-4b18-9aa4-29e387b26362?source=cve https://plugins.trac.wordpress.org/browser/login-lockdown/trunk/libs/functions.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389843%40login-lockdown&new=3389843%40login-lockdown&sfp_email=&sfph_mail= |
| icegram–Email Subscribers & Newsletters Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce | The Icegram Express – Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage. | 2025-12-12 | 5.3 | CVE-2025-12348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194 https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php |
| saadiqbal–myCred Points Management System For Gamification, Ranks, Badges, and Loyalty Program. | The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action. | 2025-12-13 | 5.3 | CVE-2025-12362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af54654b-60af-446d-b170-ee0a1ebed22c?source=cve https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/cash-creds/modules/cashcred-module-core.php#L141 https://plugins.trac.wordpress.org/changeset/3417299/mycred/trunk?contextall=1&old=3410754&old_path=%2Fmycred%2Ftrunk#file0 |
| netweblogic–Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the ‘get_location’ action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to. | 2025-12-12 | 5.3 | CVE-2025-12408 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8470b7be-6fae-4941-b523-93e230366522?source=cve https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php |
| IBM–WebSphere Application Server | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site. | 2025-12-08 | 5.4 | CVE-2025-12635 | https://www.ibm.com/support/pages/node/7254078 |
| hippooo–Hippoo Mobile App for WooCommerce | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => ‘__return_true’`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server’s publicly accessible upload directory via the vulnerable endpoint. | 2025-12-12 | 5.3 | CVE-2025-12655 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45 https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117 https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1 |
| campay–Campay Woocommerce Payment Gateway | The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income. | 2025-12-12 | 5.3 | CVE-2025-12883 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f12fa00-6108-4bd4-9310-8558211f4d0f?source=cve https://wordpress.org/plugins/campay-api/ |
| ajitdas–Devs CRM Manage tasks, attendance and teams all together | The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes. | 2025-12-13 | 5.3 | CVE-2025-13092 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c520d-4843-4ef1-8c96-cbf0eaab58cb?source=cve https://wordpress.org/plugins/devs-crm/ |
| ajitdas–Devs CRM Manage tasks, attendance and teams all together | The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘/wp-json/devs-crm/v1/bulk-update’ REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags. | 2025-12-13 | 5.3 | CVE-2025-13093 | https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve https://wordpress.org/plugins/devs-crm/ |
| IBM–Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency. | 2025-12-11 | 5.3 | CVE-2025-13211 | https://www.ibm.com/support/pages/node/7254434 |
| Kubernetes–Kubernetes | A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services). | 2025-12-14 | 5.8 | CVE-2025-13281 | https://github.com/kubernetes/kubernetes/issues/135525 https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ |
| markutos987–Product Filtering by Categories, Tags, Price Range for WooCommerce Filter Plus | The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the ‘filter_save_settings’ and ‘add_filter_options’ AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin’s settings and create arbitrary filter options. | 2025-12-12 | 5.3 | CVE-2025-13314 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178 |
| emarket-design–Employee Spotlight Team Member Showcase & Meet the Team Plugin | The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings. | 2025-12-13 | 5.3 | CVE-2025-13403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19738a82-8c31-45bb-a869-68e357299eb5?source=cve https://plugins.trac.wordpress.org/browser/employee-spotlight/trunk/includes/plugin-feedback-functions.php#L19 https://plugins.trac.wordpress.org/browser/employee-spotlight/tags/5.1.3/includes/plugin-feedback-functions.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418117%40employee-spotlight&new=3418117%40employee-spotlight&sfp_email=&sfph_mail= |
| premmerce–Premmerce Wishlist for WooCommerce | The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists. | 2025-12-12 | 5.3 | CVE-2025-13440 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php#L334 https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/tags/1.1.10/src/Admin/Admin.php#L334 |
| properfraction–Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content ProfilePress | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint. | 2025-12-09 | 5.4 | CVE-2025-13642 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f?source=cve https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L71 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L15 https://plugins.trac.wordpress.org/changeset/3408055/ |
| rcatheme–Guest Support | The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter. | 2025-12-12 | 5.3 | CVE-2025-13660 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01299aba-0dff-47fd-9e90-ee84f00a0f3b?source=cve https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L22 https://plugins.trac.wordpress.org/browser/guest-support/tags/1.2.3/includes/library/ajax.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412822%40guest-support&new=3412822%40guest-support&sfp_email=&sfph_mail= |
| mailerlite–MailerLite Signup forms (official) | The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘form_description’ and ‘success_message’ parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 5.5 | CVE-2025-13993 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8c37cc28-fde0-45c6-b49c-d6dfb296c4a5?source=cve https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L179 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L224 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L38 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L94 https://plugins.trac.wordpress.org/changeset/3416100/official-mailerlite-sign-up-forms/trunk/src/Controllers/AdminController.php |
| rodolforizzo76–Simple Bike Rental | The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘simpbire_carica_prenotazioni’ AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers’ personally identifiable information (PII), including names, email addresses, and phone numbers. | 2025-12-12 | 5.3 | CVE-2025-14065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137 https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137 https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental/ |
| addonsorg–PDF for Contact Form 7 + Drag and Drop Template Builder | The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the ‘rednumber_duplicate’ function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones. | 2025-12-12 | 5.3 | CVE-2025-14074 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7?source=cve https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/trunk/backend/index.php#L697 https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/tags/6.3.2/backend/index.php#L697 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416014%40pdf-for-contact-form-7&new=3416014%40pdf-for-contact-form-7&sfp_email=&sfph_mail= |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. | 2025-12-10 | 5.6 | CVE-2025-14087 | https://access.redhat.com/security/cve/CVE-2025-14087 RHBZ#2419093 |
| ludwigyou–WPMasterToolKit (WPMTK) All in one plugin | The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise. | 2025-12-12 | 5.3 | CVE-2025-14166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628 https://plugins.trac.wordpress.org/log/wpmastertoolkit/ |
| stiand–Vimeo SimpleGallery | The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter. | 2025-12-12 | 5.3 | CVE-2025-14170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb28557-7023-481f-a05b-0b9a22d7a456?source=cve https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/trunk/vimeo_simplegallery.php#L22 https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/tags/0.2/vimeo_simplegallery.php#L22 |
| Ilevia–EVE X1 Server | A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: “We already know that issue and on most devices are already solved, also it’s not needed to open the port to outside world so we advised our customer to close it”. | 2025-12-08 | 5.6 | CVE-2025-14276 | VDB-334802 | Ilevia EVE X1 Server leaf_search.php command injection VDB-334802 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702649 | Ilevia Srl. Ilevia EVE X1 Server 4.6.5.0.eden Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ahygt5u6sgqpk5tt?singleDoc |
| Tenda–AC9 | A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-09 | 5.3 | CVE-2025-14286 | VDB-334874 | Tenda AC9 Configuration File DownloadCfg.jpg information disclosure VDB-334874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702723 | Tenda AC9 V1.0 V15.03.05.14_multi Information Disclosure https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN11.md https://www.tenda.com.cn/ |
| dugudlabs–Eyewear prescription form | The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the ‘catIds’ parameter. | 2025-12-13 | 5.3 | CVE-2025-14365 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74 https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326 |
| dugudlabs–Eyewear prescription form | The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the ‘Name’, ‘Price’, and ‘Parent’ parameters. | 2025-12-13 | 5.3 | CVE-2025-14366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0f21d7a2-3b4f-487f-a64a-b963427233b3?source=cve https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L71 https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L369 |
| corsonr–Easy Theme Options | The Easy Theme Options plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0. This is due to missing authorization checks in the eto_import_settings function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary plugin settings via the ‘eto_import_settings’ parameter. | 2025-12-13 | 5.3 | CVE-2025-14367 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8405e80d-fd72-4d87-b08a-19a686eb2982?source=cve https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L277 https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L282 |
| ays-pro–Secure Copy Content Protection and Content Locking | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for unauthenticated attackers to access sensitive user data including emails, IP addresses, usernames, roles, and location data by directly accessing the exported CSV file. | 2025-12-12 | 5.3 | CVE-2025-14442 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72b95777-d17b-4504-95fd-c83b18106b9e?source=cve https://wordpress.org/plugins/secure-copy-content-protection/#developers https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.0/admin/class-secure-copy-content-protection-admin.php#L557 https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L560 |
| pcantoni–AnnunciFunebri Impresa | The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state. | 2025-12-13 | 5.3 | CVE-2025-14447 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9ea2a2-34af-408c-91ee-6d5fd9431529?source=cve https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/trunk/functions.inc.php#L845 https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/tags/4.7.0/functions.inc.php#L845 |
| EFM–ipTIME A3004T | A weakness has been identified in EFM ipTIME A3004T 14.19.0. This vulnerability affects the function show_debug_screen of the file /sess-bin/timepro.cgi of the component Administrator Password Handler. This manipulation of the argument aaksjdkfj with the input !@dnjsrureljrm*& causes command injection. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5 | CVE-2025-14485 | VDB-335768 | EFM ipTIME A3004T Administrator Password timepro.cgi show_debug_screen command injection VDB-335768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702655 | EFM NETWORKS CO., LTD. ipTime A3004T 14.19.0 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/mf0uog9s2ycay4g2?singleDoc https://pan.baidu.com/s/12VsWYY-bf2-Kfufbs2dlXw?pwd=drt |
| Yalantis–uCrop | A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5.3 | CVE-2025-14517 | VDB-335855 | Yalantis uCrop AndroidManifest.xml UCropActivity improper export of android application components VDB-335855 | CTI Indicators (IOB, IOC, IOA) Submit #702811 | uCrop Android Library uCrop 2.2.11 Intent Spoofing https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?source=copy_link https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446#469832583e0444dcb3d08b0ca661d1c6 |
| baowzh–hfly | A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. Impacted is an unknown function of the file /admin/index.php/datafile/delfile. This manipulation of the argument filename causes path traversal. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5.4 | CVE-2025-14520 | VDB-335858 | baowzh hfly delfile path traversal VDB-335858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702948 | GitHub hfly 1.0 Arbitrary file deleteing https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20delfile%20filename%20Arbitrary%20file%20delete.md |
| D-Link–DIR-803 | A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-11 | 5.3 | CVE-2025-14528 | VDB-335869 | D-Link DIR-803 Configuration getcfg.php information disclosure VDB-335869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703150 | D-Link DIR-803 1.04 and earlier Authorization Bypass https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md#poc https://www.dlink.com/ |
| rang501–Shortcode Ajax | The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-12-13 | 5.4 | CVE-2025-14539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e2a994f-7a42-4ccb-8fa0-77107ba1150c?source=cve https://plugins.trac.wordpress.org/browser/shortcode-ajax/trunk/shortcode-ajax.php#L29 |
| haxxorsid–Stock-Management-System | A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-12 | 5.3 | CVE-2025-14567 | VDB-336191 | haxxorsid Stock-Management-System employees missing authentication VDB-336191 | CTI Indicators (IOB, IOC, IOA) Submit #703879 | haxxorsid stock-management-system 1.0 Improper Access Controls https://github.com/ixpqxi/CVE_LIST/blob/master/stock_management_system/access_control_vulnerability.md |
| ggml-org–whisper.cpp | A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affected is the function read_audio_data of the file /whisper.cpp/examples/common-whisper.cpp. The manipulation results in use after free. The attack requires a local approach. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-12 | 5.3 | CVE-2025-14569 | VDB-336193 | ggml-org whisper.cpp common-whisper.cpp read_audio_data use after free VDB-336193 | CTI Indicators (IOB, IOC, IOA) Submit #703886 | ggerganov whisper.cpp v1.8.2 Free of Memory not on the Heap https://github.com/ggml-org/whisper.cpp/issues/3501 https://github.com/oneafter/InvalidFree/blob/main/repro |
| villatheme–HAPPY Helpdesk Support Ticket System | The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ‘submit_form_reply’ AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the ‘happy_topic_id’ parameter, regardless of whether they are the ticket owner or have been assigned to the ticket. | 2025-12-13 | 5.3 | CVE-2025-14581 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585 https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail= |
| tiny-rdm–Tiny RDM | A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-13 | 5 | CVE-2025-14606 | VDB-336282 | tiny-rdm Tiny RDM Pickle Decoding pickle_convert.go pickle.loads deserialization VDB-336282 | CTI Indicators (IOB, IOC, IOA) Submit #704138 | tiny-rdm Tiny RDM 1.2.5 Insecure Deserialization https://github.com/tiny-craft/tiny-rdm/issues/512 |
| Jehovahs Witnesses–JW Library App | A vulnerability has been found in Jehovahs Witnesses JW Library App up to 15.5.1 on Android. Affected is an unknown function of the component org.jw.jwlibrary.mobile.activity.SiloContainer. Such manipulation leads to path traversal. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-12-13 | 5.3 | CVE-2025-14617 | VDB-336303 | Jehovahs Witnesses JW Library App org.jw.jwlibrary.mobile.activity.SiloContainer path traversal VDB-336303 | CTI Indicators (IOB, IOC, TTP) Submit #705077 | Jehovah’s Witnesses(https://www.jw.org/finder?docid=802013031) JW Library APP (org.jw.jwlibrary.mobile) V15.5.1 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/1 |
| DecoCMS–Mesh | A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component. | 2025-12-14 | 5.6 | CVE-2025-14660 | VDB-336392 | DecoCMS Mesh Workspace Domain api.ts createTool access control VDB-336392 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713741 | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls https://github.com/decocms/mesh/pull/1967 https://github.com/decocms/mesh/pull/1967#issuecomment-3622379237 https://github.com/decocms/mesh/pull/1967#issue-3700934099 https://github.com/decocms/mesh/commit/5f7315e05852faf3a9c177c0a34f9ea9b0371d3d https://github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32 |
| Siemens–Gridscale X Prepay | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users. | 2025-12-09 | 5.3 | CVE-2025-40806 | https://cert-portal.siemens.com/productcert/html/ssa-356310.html |
| SAP_SE–SAPUI5 framework (Markdown-it component) | SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability. | 2025-12-09 | 5.9 | CVE-2025-42873 | https://me.sap.com/notes/3676970 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP Enterprise Search for ABAP | Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application’s availability. | 2025-12-09 | 5.5 | CVE-2025-42891 | https://me.sap.com/notes/3659117 https://url.sap/sapsecuritypatchday |
| SAP_SE–SAP BusinessObjects Business Intelligence Platform | SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability. | 2025-12-09 | 5.4 | CVE-2025-42896 | https://me.sap.com/notes/3651390 https://url.sap/sapsecuritypatchday |
| bannersky–BSK PDF Manager | The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 5.5 | CVE-2025-4970 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cf1983b-4cb7-4738-9f19-2c530a9939e0?source=cve https://wordpress.org/plugins/bsk-pdf-manager/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405989%40bsk-pdf-manager&new=3405989%40bsk-pdf-manager&sfp_email=&sfph_mail= |
| Fortinet–FortiSandbox | An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an attacker to perform an XSS attack via crafted HTTP requests. | 2025-12-09 | 5.3 | CVE-2025-54353 | https://fortiguard.fortinet.com/psirt/FG-IR-25-477 |
| Meta–react-server-dom-webpack | An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument. | 2025-12-11 | 5.3 | CVE-2025-55183 | https://www.facebook.com/security/advisories/cve-2025-55183 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
| PowerDNS–Recursor | An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. | 2025-12-09 | 5.3 | CVE-2025-59029 | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html |
| Pegasystems–Pega Infinity | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html. | 2025-12-10 | 5.3 | CVE-2025-62181 | https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note |
| c-ares–c-ares | c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6. | 2025-12-08 | 5.9 | CVE-2025-62408 | https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618 |
| Microsoft–Windows Server 2025 (Server Core installation) | Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally. | 2025-12-09 | 5.5 | CVE-2025-62468 | Windows Defender Firewall Service Information Disclosure Vulnerability |
| Microsoft–Windows 10 Version 1809 | Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network. | 2025-12-09 | 5.3 | CVE-2025-62567 | Windows Hyper-V Denial of Service Vulnerability |
| Fortinet–FortiOS | An insufficient session expiration vulnerability [CWE-613] in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user’s password change under particular conditions outside of the attacker’s control | 2025-12-09 | 5.3 | CVE-2025-62631 | https://fortiguard.fortinet.com/psirt/FG-IR-25-411 |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64541 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64543 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64544 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64545 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64546 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64547 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64548 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64549 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64550 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64551 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64553 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64554 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64555 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64556 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64557 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64558 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64559 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64560 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64562 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64563 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64564 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64565 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64566 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64569 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64572 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64574 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64575 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64576 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64577 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64578 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64579 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64580 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64581 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64582 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64583 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64585 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64586 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64590 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64591 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64592 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64593 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64594 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64596 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64597 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64598 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64599 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64600 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64601 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64602 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64603 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64604 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64605 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64606 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64607 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64609 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64611 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64612 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64613 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64614 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64615 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64616 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64619 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64620 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64622 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64623 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64626 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64627 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Microsoft–Microsoft Exchange Server Subscription Edition RTM | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2025-12-09 | 5.3 | CVE-2025-64667 | Microsoft Exchange Server Spoofing Vulnerability |
| quic-go–quic-go | quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go’s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0. | 2025-12-11 | 5.3 | CVE-2025-64702 | https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6 https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8 |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64789 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64790 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64791 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64792 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64793 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64794 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64796 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64797 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64799 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64800 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64801 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64802 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64803 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64804 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64808 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64814 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64817 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64820 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64821 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64822 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64823 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64825 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64826 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64827 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64829 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64833 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64839 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64840 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64841 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64845 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64847 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64850 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64852 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64853 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64857 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64858 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64861 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64863 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64869 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64873 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64875 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64881 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64887 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim’s browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64888 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this issue to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 5.5 | CVE-2025-64894 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe–Creative Cloud Desktop | Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application’s functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 5.5 | CVE-2025-64896 | https://helpx.adobe.com/security/products/creative-cloud/apsb25-120.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial of service. Exploitation of this issue requires user interaction. | 2025-12-09 | 5.6 | CVE-2025-64897 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| libimobiledevice–usbmuxd | A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user. This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba. | 2025-12-10 | 5.7 | CVE-2025-66004 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66004 |
| okta–okta-sdk-java | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade performance and availability in long-running applications and may result in a denial-of-service condition under sustained load. In addition to using the affected versions, users may be at risk if they are implementing a long-running application using the ApiClient in a multi-threaded manner. This issue is fixed in version 24.0.1. | 2025-12-10 | 5.3 | CVE-2025-66033 | https://github.com/okta/okta-sdk-java/security/advisories/GHSA-qhr6-6cgv-6638 https://github.com/okta/okta-sdk-java/commit/1daa9229a70fc38fb252aeaa637f82d0b0729b3f |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66320 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66321 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66322 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.3 | CVE-2025-66323 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| traefik–traefik | Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to “on” (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3. | 2025-12-09 | 5.9 | CVE-2025-66491 | https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4 https://github.com/traefik/traefik/releases/tag/v3.6.3 |
| Zoom Communications Inc.–Zoom Rooms | External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access. | 2025-12-10 | 5 | CVE-2025-67461 | https://www.zoom.com/en/trust/security-bulletin/zsb-25051 |
| machphy–mad-proxy | mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication. | 2025-12-10 | 5.3 | CVE-2025-67485 | https://github.com/machphy/mad-proxy/security/advisories/GHSA-wx63-35hw-2482 |
| auth0–nextjs-auth0 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1. | 2025-12-10 | 5.4 | CVE-2025-67490 | https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7 https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b |
| remram44–taguette | Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2. | 2025-12-09 | 5.4 | CVE-2025-67502 | https://github.com/remram44/taguette/security/advisories/GHSA-5923-r76v-mprm https://github.com/remram44/taguette/commit/67de2d2612e7e2572c61cd9627f89c2bfd0f2a36 |
| auth0–nextjs-auth0 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0. | 2025-12-11 | 5.7 | CVE-2025-67716 | https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5 https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c |
| tornadoweb–tornado | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom “reason” phrases (the “Not Found” in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3. | 2025-12-12 | 5.4 | CVE-2025-67724 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| sequoia-pgp–sequoia | In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet. | 2025-12-14 | 5.3 | CVE-2025-67897 | https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5 https://bugs.debian.org/1122582 https://gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWS#L7-L26 |
| kristapsdz–openrsync | openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked. | 2025-12-14 | 5.3 | CVE-2025-67901 | https://github.com/kristapsdz/openrsync/issues/34 https://github.com/openbsd/src/blob/60b9c3dff1abf933e85e3c4d96b54201ee947513/usr.bin/rsync/blocks.c#L480-L481 |
| TalentSoft Software–UNIS | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in TalentSoft Software UNIS allows Reflected XSS. This issue affects UNIS: before 42957. | 2025-12-09 | 5.4 | CVE-2025-6923 | https://www.usom.gov.tr/bildirim/tr-25-0435 |
| TalentSoft Software–e-BAP Automation | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in TalentSoft Software e-BAP Automation allows Reflected XSS. This issue affects e-BAP Automation: before 42957. | 2025-12-09 | 5.4 | CVE-2025-6924 | https://www.usom.gov.tr/bildirim/tr-25-0434 |
| templateinvaders–TI WooCommerce Wishlist | The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items. | 2025-12-13 | 5.3 | CVE-2025-9207 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d08d381-d0ef-4f40-975d-51e919a7c872?source=cve https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L326 https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L544 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399224%40ti-woocommerce-wishlist&new=3399224%40ti-woocommerce-wishlist&sfp_email=&sfph_mail= |
| Repute Infosystems–ARMember | Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ARMember: from n/a through 3.4.10. | 2025-12-09 | 4.3 | CVE-2022-47425 | https://vdp.patchstack.com/database/wordpress/plugin/armember-membership/vulnerability/wordpress-armember-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-3-4-10-broken-access-control?_s_id=cve |
| Taylor Hawkes–WP Fast Cache | Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery. This issue affects WP Fast Cache: from n/a through 1.5. | 2025-12-09 | 4.3 | CVE-2023-22675 | https://vdp.patchstack.com/database/wordpress/plugin/wp-fast-cache/vulnerability/wordpress-wp-fast-cache-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| creativthemes–Mavix Education | The Mavix Education theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘mavix_education_activate_plugin’ AJAX action in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Creativ Demo Importer plugin. | 2025-12-13 | 4.3 | CVE-2025-11164 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e57528-010f-4ec6-917b-4cd8c3fdbd58?source=cve https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=297888%40mavix-education&new=297888%40mavix-education |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries. | 2025-12-11 | 4.3 | CVE-2025-11247 | GitLab Issue #573766 HackerOne Bug Bounty Report #3307422 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| emplibot–Emplibot AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated | The Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the emplibot_call_webhook_with_error() and emplibot_process_zip_data() functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-13 | 4.4 | CVE-2025-11970 | https://www.wordfence.com/threat-intel/vulnerabilities/id/095c6359-112d-4abc-a69b-a623dfd103c0?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398720%40emplibot&new=3398720%40emplibot&sfp_email=&sfph_mail= |
| netweblogic–Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the ‘location_delete’ action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-12407 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a99d0220-38af-40fe-8b9f-af173fc41248?source=cve https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php |
| edge22–GenerateBlocks | The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under `generateblocks/v1/meta/` that gate access with `current_user_can(‘edit_posts’)`, which is granted to low-privileged roles such as Contributor. The handlers accept arbitrary entity IDs (user IDs, post IDs, etc.) and meta keys, returning any requested metadata with only a short blacklist of password-like keys for protection. There is no object-level authorization ensuring the caller is requesting only their own data, and there is no allowlist of safe keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to exfiltrate personally identifiable information (PII) and other sensitive profile data of administrator accounts or any other users by directly querying user meta keys via the exposed endpoints via the `get_user_meta_rest` function. In typical WordPress + WooCommerce setups, this includes names, email, phone, and address fields that WooCommerce stores in user meta, enabling targeted phishing, account takeover pretexting, and privacy breaches. | 2025-12-13 | 4.3 | CVE-2025-12512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6affdb56-39cc-4749-b7cb-b80b7666f028?source=cve https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L56 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L297 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L61 https://plugins.trac.wordpress.org/changeset/3415721/generateblocks/trunk/includes/class-meta-handler.php |
| beaverbuilder–Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the ‘get_attachment_sizes’ function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments. | 2025-12-09 | 4.3 | CVE-2025-12558 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb2f6c67-ef4a-4afc-bd61-6c0185e354a8?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L71 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L216 https://plugins.trac.wordpress.org/changeset/3406987 |
| premmerce–Premmerce Brands for WooCommerce | The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings. | 2025-12-12 | 4.3 | CVE-2025-12783 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-brands/tags/1.2.13/src/Admin/Admin.php#L101 |
| IBM–InfoSphere Information Server | IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2025-12-08 | 4.6 | CVE-2025-12832 | https://www.ibm.com/support/pages/node/7253507 |
| Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co.–DijiDemi | Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers. This issue affects DijiDemi: through 28.11.2025. | 2025-12-10 | 4.3 | CVE-2025-13125 | https://www.usom.gov.tr/bildirim/tr-25-0442 |
| imaqpress–IMAQ CORE | The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin’s URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13363 | https://www.wordfence.com/threat-intel/vulnerabilities/id/684de9c5-6f94-455d-b095-9f2df733ab95?source=cve https://plugins.trac.wordpress.org/browser/imaq-core/trunk/libs/AcademixCorePermalink.php#L58 https://plugins.trac.wordpress.org/browser/imaq-core/tags/1.2.1/libs/AcademixCorePermalink.php#L58 |
| frapesce–Rabbit Hole | The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin’s reset functionality. This makes it possible for unauthenticated attackers to reset the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks. | 2025-12-12 | 4.3 | CVE-2025-13366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eab5de7e-ddab-4c6f-af87-acce7b5ff15b?source=cve https://plugins.trac.wordpress.org/browser/rabbit-hole/trunk/functions/admin.php#L7 https://plugins.trac.wordpress.org/browser/rabbit-hole/tags/1.1/functions/admin.php#L7 |
| foxtheme–Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13408 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40886b66-f6a2-404c-9d0d-5fc3da6a896c?source=cve https://plugins.svn.wordpress.org/foxtool/tags/2.5.2/inc/goo.php https://wordpress.org/plugins/foxtool/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416529%40foxtool&new=3416529%40foxtool&sfp_email=&sfph_mail= |
| specialk–Simple Download Counter | The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution. | 2025-12-10 | 4.9 | CVE-2025-13677 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b82a0f71-29d7-469a-8c69-5ab68d599cb9?source=cve https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-admin.php#L566 https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.2.2/inc/functions-admin.php#L566 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3409876%40simple-download-counter&new=3409876%40simple-download-counter&sfp_email=&sfph_mail= |
| maartenbelmans–Advanced Product Fields (Product Addons) for WooCommerce | The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the ‘maybe_duplicate’ function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-09 | 4.3 | CVE-2025-13924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8906333-7024-40d3-91cd-2ecbbf20314f?source=cve https://github.com/Baodaica/advanced-product-fields-for-woocommerce/blob/main/class-admin-controller.php#L130-L133 https://plugins.trac.wordpress.org/changeset/3411740/ |
| thewellnessway–TWW Protein Calculator | The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header’ setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-13971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b57749db-0a47-44f8-8607-d0d962c5ced2?source=cve https://plugins.trac.wordpress.org/browser/twwc-protein/tags/1.0.24/templates/protein-calculator-compact.php#L19 https://plugins.trac.wordpress.org/browser/twwc-protein/tags/1.0.24/templates/protein-calculator-large.php#L32 https://plugins.trac.wordpress.org/browser/twwc-protein/trunk/templates/protein-calculator-compact.php#L19 https://plugins.trac.wordpress.org/browser/twwc-protein/trunk/templates/protein-calculator-large.php#L32 |
| watchtowerhq–WatchTowerHQ | The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the ‘wht_download_big_object_origin’ parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2025-12-12 | 4.9 | CVE-2025-13972 | https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104 https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104 |
| izuchy–Contact Form 7 with ChatWork | The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_token’ and ‘roomid’ settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-13975 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f5d8616b-8757-426e-a4ae-bd851d35e296?source=cve https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/tags/1.1.0/contact-form-7-chatwork.php#L80 https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/tags/1.1.0/contact-form-7-chatwork.php#L89 https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/trunk/contact-form-7-chatwork.php#L80 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. | 2025-12-11 | 4.3 | CVE-2025-13978 | https://gitlab.com/gitlab-org/gitlab/-/work_items/566960 GitLab Issue #566960 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| codnloc–Purchase and Expense Manager | The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the ‘sup_pt_handle_deletion’ function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13987 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c9826506-2292-44a7-9564-832e54bf4fba?source=cve https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/trunk/purchase-and-expense-manager.php#L604 https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/tags/1.1.2/purchase-and-expense-manager.php#L604 |
| jeremybmerrill–DebateMaster | The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the debate shortcode. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-14035 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a68cb059-972f-473d-90cb-41ccda052b08?source=cve https://wordpress.org/plugins/debatemaster/ https://plugins.trac.wordpress.org/browser/debatemaster/trunk/debatemaster.php#L30 https://plugins.trac.wordpress.org/browser/debatemaster/tags/1.0.0/debatemaster.php#L30 https://plugins.trac.wordpress.org/browser/debatemaster/trunk/debatemaster.php#L87 https://plugins.trac.wordpress.org/browser/debatemaster/tags/1.0.0/debatemaster.php#L87 |
| apprhyme–URL Media Uploader | The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files. | 2025-12-12 | 4.3 | CVE-2025-14045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/57f09da9-0d2c-45db-b3ed-19a7c9f5a001?source=cve https://plugins.trac.wordpress.org/browser/url-media-uploader/trunk/url-media-uploader.php#L52 https://gist.github.com/jasoncarle/925401bb11833b1ced2342390e20718e https://plugins.trac.wordpress.org/browser/url-media-uploader/tags/1.0.1/url-media-uploader.php#L52 |
| jonahsc–SimplyConvert | The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘simplyconvert_hash’ option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 4.4 | CVE-2025-14048 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d720466-e470-46a3-8129-3e58e1928f0d?source=cve https://plugins.trac.wordpress.org/browser/simplyconvert/trunk/simplyconvert.php#L137 https://plugins.trac.wordpress.org/browser/simplyconvert/tags/1.0/simplyconvert.php#L137 |
| uxl–Design Import/Export Styles, Templates, Template Parts and Patterns | The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 4.9 | CVE-2025-14050 | https://www.wordfence.com/threat-intel/vulnerabilities/id/beb489d3-2c1b-4af5-b73e-126d2526e0a3?source=cve https://plugins.trac.wordpress.org/browser/design-import-export/trunk/includes/importer.php#L162 https://plugins.trac.wordpress.org/browser/design-import-export/tags/2.2/includes/importer.php#L162 https://plugins.trac.wordpress.org/changeset/3416324 |
| webdevstudios–Custom Post Type UI | The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘label’ parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools → Get Code page. | 2025-12-13 | 4.4 | CVE-2025-14056 | https://www.wordfence.com/threat-intel/vulnerabilities/id/890c743e-da5e-46ed-a011-cecd24778163?source=cve https://plugins.trac.wordpress.org/browser/custom-post-type-ui/trunk/inc/tools-sections/tools-post-types.php#L201 https://plugins.trac.wordpress.org/browser/custom-post-type-ui/tags/1.18.1/inc/tools-sections/tools-post-types.php#L201 https://github.com/WebDevStudios/custom-post-type-ui/pull/1014/files#diff-bd3331205024f12a78d74b312bc4f5ad118b5734999bf53a4a95e0959891f60a |
| tekafran–Animated Pixel Marquee Creator | The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the ‘marquee’ parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c727ab41-c091-4fff-8abe-f52a904cd9f0?source=cve https://plugins.trac.wordpress.org/browser/animated-pixel-marquee-creator/trunk/admin/marquees_list.php#L44 https://plugins.trac.wordpress.org/browser/animated-pixel-marquee-creator/tags/1.0.0/admin/marquees_list.php#L44 |
| octagonsimon–Coding Blocks | The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14158 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5a4833de-d530-4bbf-ac28-e5d4b5f68f1e?source=cve https://plugins.trac.wordpress.org/browser/coding-blocks/trunk/admin/pages/settings.php#L11 https://plugins.trac.wordpress.org/browser/coding-blocks/tags/1.1.0/admin/pages/settings.php#L11 https://wordpress.org/plugins/coding-blocks/#developers |
| ays-pro–Secure Copy Content Protection and Content Locking | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the ‘ays_sccp_results_export_file’ AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated. | 2025-12-12 | 4.3 | CVE-2025-14159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve https://wordpress.org/plugins/secure-copy-content-protection/#developers https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645 https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696 |
| justdave–Upcoming for Calendly | The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin’s Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14160 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d66d6f36-ad16-40ba-b32f-f4aff6f8b494?source=cve https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/trunk/includes/settings.php#L33 https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/tags/1.2.4/includes/settings.php#L33 https://wordpress.org/plugins/upcoming-for-calendly/#developers https://plugins.trac.wordpress.org/changeset/3415892/ |
| truefy–Truefy Embed | The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the ‘truefy_embed_options_update’ settings update action. This makes it possible for unauthenticated attackers to update the plugin’s settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14161 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431 https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431 |
| magblogapi–BMLT WordPress Plugin | The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the ‘BMLTPlugin_create_option’ and ‘BMLTPlugin_delete_option ‘ action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14162 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0344f49b-f5f9-4729-ade0-cba6289406de?source=cve https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/trunk/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848 https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/tags/3.11.4/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848 |
| developerke–Kirim.Email WooCommerce Integration | The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin’s settings page. This makes it possible for unauthenticated attackers to modify the plugin’s API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70993f6f-d9b0-49d5-b35e-e129f96529f6?source=cve https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L137 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L137 |
| Campcodes–Retro Basketball Shoes Online Store | A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 4.7 | CVE-2025-14219 | VDB-334661 | Campcodes Retro Basketball Shoes Online Store admin_running.php unrestricted upload VDB-334661 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701209 | Campcodes Retro Basketball Shoes Online Store V1.0 Unrestricted Upload https://github.com/yyue02/cve/issues/1 https://www.campcodes.com/ |
| ORICO–CD3510 | A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 4.3 | CVE-2025-14220 | VDB-334662 | ORICO CD3510 File Upload path traversal VDB-334662 | CTI Indicators (IOB, IOC, TTP) Submit #701302 | ORICO CD3510 NAS V1.9.12 Incorrect Access Control https://www.notion.so/2b66cf4e528a8002aa39df57a71b105a |
| Yottamaster–DM2 | A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 4.3 | CVE-2025-14224 | VDB-334666 | Yottamaster DM2/DM3/DM200 File Upload path traversal VDB-334666 | CTI Indicators (IOB, IOC, TTP) Submit #701673 | Yottamaster DM200 V1.2.23 Vertical Privilege Escalation https://www.notion.so/2b76cf4e528a80f6ae50fe21b13ff0b8 |
| SourceCodester–Inventory Management System | A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 4.7 | CVE-2025-14229 | VDB-334671 | SourceCodester Inventory Management System SVC Report Export csv injection VDB-334671 | CTI Indicators (IOB, IOC) Submit #702119 | SourceCodester Inventory Management System 1.0 CSV Injection https://www.notion.so/Spreadsheet-Formula-Injection-Leading-to-Remote-Code-Execution-in-SourceCodester-Inventory-Managemen-2b723917db8c80dfaaabe2b74d6f283d?source=copy_link https://www.sourcecodester.com/ |
| Galaxy Software Services–Vitals ESP | Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2025-12-08 | 4.9 | CVE-2025-14253 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| gallerycreator–Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery | The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`. | 2025-12-13 | 4.3 | CVE-2025-14288 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60ab0311-888c-46ae-98fe-9e7d4dfe13bf?source=cve https://plugins.trac.wordpress.org/browser/simply-gallery-block/tags/3.2.8/plugin.php#L593 https://plugins.trac.wordpress.org/changeset/3418101/simply-gallery-block/trunk/plugin.php?old=3415010&old_path=simply-gallery-block%2Ftrunk%2Fplugin.php |
| MongoDB Inc.–MongoDB Server | A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2. | 2025-12-09 | 4.2 | CVE-2025-14345 | https://jira.mongodb.org/browse/SERVER-106075 |
| doubledome–Resource Library for Logged In Users | The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/71b82f1e-14ae-4eb3-9b46-5fcea1cd5a32?source=cve https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L406 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L406 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L168 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L168 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L530 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L530 |
| themefic–Ultra Addons for Contact Form 7 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘uacf7_get_generated_pdf’ function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the “PDF Generator” and the “Database” addons are enabled (disabled by default). | 2025-12-12 | 4.3 | CVE-2025-14356 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af9ece0-1556-4457-87ee-343daec5e74f?source=cve https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L316 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L321 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L341 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L53 https://plugins.trac.wordpress.org/changeset/3417590/ultimate-addons-for-contact-form-7 |
| themeregion–Quick Testimonials | The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-13 | 4.4 | CVE-2025-14378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1907308f-a722-48ce-8da4-a6c21ee29575?source=cve https://wordpress.org/plugins/quick-testimonials/ |
| darendev–Simple Theme Changer | The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efa9b44d-8b6c-4a11-82af-cecc2c202024?source=cve https://plugins.trac.wordpress.org/browser/simple-theme-changer/tags/1.0/class_theme_changer.php#L262 |
| darendev–Simple Theme Changer | The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin’s settings. | 2025-12-12 | 4.3 | CVE-2025-14392 | https://www.wordfence.com/threat-intel/vulnerabilities/id/880712ee-373f-49e7-93e3-968f3a0f3f83?source=cve https://plugins.trac.wordpress.org/browser/simple-theme-changer/tags/1.0/class_theme_changer.php#L262 |
| melodicmedia–Popover Windows | The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14394 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c2af263f-960b-4807-bc85-d136136fa30f?source=cve https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98 |
| melodicmedia–Popover Windows | The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin’s settings and content. | 2025-12-13 | 4.3 | CVE-2025-14395 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0cae43cb-a0b7-4067-95b3-26fec31ebf42?source=cve https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98 |
| solutionsbysteve–Solutions Ad Manager | The Solutions Ad Manager plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.0.0. This is due to insufficient validation on the redirect URL supplied via the ‘sam-redirect-to’ parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | 2025-12-13 | 4.7 | CVE-2025-14451 | https://www.wordfence.com/threat-intel/vulnerabilities/id/696495c5-c8f8-4790-af89-1ee911767b1b?source=cve https://plugins.trac.wordpress.org/browser/solutions-ad-manager/trunk/public/class-solutions-ad-manager-public.php#L30 https://plugins.trac.wordpress.org/browser/solutions-ad-manager/tags/1.0.0/public/class-solutions-ad-manager-public.php#L30 |
| ays-pro–Image Slider by Ays- Responsive Slider and Carousel | The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e211df80-aab7-43a1-8c11-a472f90ef4c6?source=cve https://plugins.trac.wordpress.org/browser/ays-slider/trunk/includes/lists/class-ays-slider-list-table.php#L430 https://plugins.trac.wordpress.org/browser/ays-slider/tags/2.7.0/includes/lists/class-ays-slider-list-table.php#L430 https://plugins.trac.wordpress.org/changeset/3417916/ays-slider/tags/2.7.1/includes/lists/class-ays-slider-list-table.php?old=3278880&old_path=ays-slider%2Ftags%2F2.7.0%2Fincludes%2Flists%2Fclass-ays-slider-list-table.php |
| owais4377–Lucky Draw Contests | The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14462 | https://www.wordfence.com/threat-intel/vulnerabilities/id/49364a21-775a-4de0-84f8-e62aa1a5fefd?source=cve https://plugins.trac.wordpress.org/browser/lucky-draw/tags/4.2/includes/misc-settings.php |
| wpjobportal–WP Job Portal AI-Powered Recruitment System for Company or Job Board website | The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities. This only impacts multi-site installations, or those with unfiltered_html disabled. | 2025-12-12 | 4.4 | CVE-2025-14467 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c347b9f-d297-4cb5-9c4a-1001d845ed5a?source=cve https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/includes/constants.php#L351 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/includes/constants.php#L351 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/model.php#L1278 https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/model.php#L1278 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/tmpl/views/frontend/title.php#L231 https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/tmpl/views/frontend/title.php#L231 |
| aaron13100–404 Solution | The 404 Solution plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This is due to improper sanitization of the `filterText` parameter in the `ajaxUpdatePaginationLinks` AJAX action. The sanitization logic can be bypassed by using the sequence `*$/` which becomes `*/` after the `$` character is removed, allowing attackers to escape SQL comment contexts. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind SQL injection technique. | 2025-12-13 | 4.9 | CVE-2025-14477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/389bee79-b59f-484a-86df-f041d6b00051?source=cve https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/DataAccess.php#L977 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/DataAccess.php#L987 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/PluginLogic.php#L1595 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/sql/getRedirectsForView.sql#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417333%40404-solution&new=3417333%40404-solution&sfp_email=&sfph_mail= |
| baowzh–hfly | A security vulnerability has been detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The affected element is an unknown function of the file /admin/index.php/datafile/download. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 4.3 | CVE-2025-14521 | VDB-335859 | baowzh hfly download path traversal VDB-335859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702949 | GitHub hfly 1.0 Arbitrary file reading https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20download%20filename%20Arbitrary%20file%20reading.md |
| SourceCodester–Real Estate Property Listing App | A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-11 | 4.7 | CVE-2025-14530 | VDB-335871 | SourceCodester Real Estate Property Listing App property.php unrestricted upload VDB-335871 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703238 | SourceCodester Real Estate Property Listing App Using PHP and MySQL with Source Code 1 Unrestricted Upload https://github.com/zzdzz7/cve/issues/2 https://www.sourcecodester.com/ |
| code-projects–Rental Management System | A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-12-11 | 4.3 | CVE-2025-14531 | VDB-335872 | code-projects Rental Management System Log Transaction.java crlf injection VDB-335872 | CTI Indicators (IOB, IOC, IOA) Submit #703239 | code-projects rental-management-system 2.0 CRLF Injection https://github.com/asd1238525/cve/blob/main/CRLF.md https://code-projects.org/ |
| userback–Userback | The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin’s configuration data including the Userback API access token and site’s posts/pages contents, including those that have private and draft status. | 2025-12-13 | 4.3 | CVE-2025-14540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03?source=cve https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148 |
| campcodes–Online Student Enrollment System | A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-12 | 4.7 | CVE-2025-14582 | VDB-336202 | campcodes Online Student Enrollment System index.php unrestricted upload VDB-336202 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705524 | campcodes Online Student Enrollment System V1.0 Unrestricted Upload https://github.com/CHENCHOUCHOU/vuln/issues/2 https://www.campcodes.com/ |
| code-projects–Computer Laboratory System | A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-14 | 4.7 | CVE-2025-14641 | VDB-336374 | code-projects Computer Laboratory System admin_pic.php unrestricted upload VDB-336374 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707865 | code-projects.org Computer Laboratory System In PHP With Source Code 1.0 Unrestricted Upload https://github.com/Yohane-Mashiro/cve/blob/main/upload%203.md https://code-projects.org/ |
| code-projects–Computer Laboratory System | A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 4.7 | CVE-2025-14642 | VDB-336375 | code-projects Computer Laboratory System technical_staff_pic.php unrestricted upload VDB-336375 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707866 | ode-projects.org Computer Laboratory System In PHP With Source Code 1.0 Incomplete Identification of Uploaded File Variables https://github.com/Yohane-Mashiro/cve/blob/main/upload%204.md https://code-projects.org/ |
| n/a–DedeBIZ | A security vulnerability has been detected in DedeBIZ up to 6.5.9. Affected by this vulnerability is an unknown functionality of the file /src/admin/catalog_add.php. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 4.7 | CVE-2025-14648 | VDB-336381 | DedeBIZ catalog_add.php command injection VDB-336381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710164 | DedeBIZ 6.5.9 Code Injection https://github.com/HOrange147/CVE/blob/main/DedeBIZ%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C.pdf |
| Mayan–EDMS | A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is “[f]ixed in version 4.10.2”. Furthermore, that “[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete.” | 2025-12-14 | 4.3 | CVE-2025-14691 | VDB-336409 | Mayan EDMS authentication cross site scripting VDB-336409 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711713 | Mayan EDMS CMS 4.10 Cross Site Scripting https://github.com/ionutluca888/Mayan-EDMS-XSS-POC https://docs.mayan-edms.com/chapters/releases/4.10.2.html https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security |
| Mayan–EDMS | A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is “[f]ixed in version 4.10.2”. Furthermore, that “[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete.” | 2025-12-14 | 4.3 | CVE-2025-14692 | VDB-336410 | Mayan EDMS authentication redirect VDB-336410 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711729 | Mayan EDMS CMS 4.10 Open Redirect https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main https://docs.mayan-edms.com/chapters/releases/4.10.2.html https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security |
| IBM–Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks. | 2025-12-08 | 4.3 | CVE-2025-33111 | https://www.ibm.com/support/pages/node/7253273 |
| IBM–IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 – 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2025-12-09 | 4.3 | CVE-2025-36437 | https://www.ibm.com/support/pages/node/7253603 |
| Siemens–SINEMA Remote Connect Server | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications do not properly validate license restrictions against the database, allowing direct modification of the system_ticketinfo table to bypass license limitations without proper enforcement checks. This could allow with database access to circumvent licensing restrictions by directly modifying database values and potentially enabling unauthorized use beyond the permitted scope. | 2025-12-09 | 4.3 | CVE-2025-40819 | https://cert-portal.siemens.com/productcert/html/ssa-626856.html |
| Siemens–RUGGEDCOM RMC8388 V5.X | A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.1), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.1), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.1), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.1), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.1), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.1), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.1), RUGGEDCOM RSG907R (All versions < V5.10.1), RUGGEDCOM RSG908C (All versions < V5.10.1), RUGGEDCOM RSG909R (All versions < V5.10.1), RUGGEDCOM RSG910C (All versions < V5.10.1), RUGGEDCOM RSG920P V5.X (All versions < V5.10.1), RUGGEDCOM RSL910 (All versions < V5.10.1), RUGGEDCOM RST2228 (All versions < V5.10.1), RUGGEDCOM RST2228P (All versions < V5.10.1), RUGGEDCOM RST916C (All versions < V5.10.1), RUGGEDCOM RST916P (All versions < V5.10.1). Affected devices do not properly validate input during the TLS certificate upload process of the web service. This could allow an authenticated remote attacker to trigger a device crash and reboot, leading to a temporary Denial of Service on the device. | 2025-12-09 | 4.3 | CVE-2025-40935 | https://cert-portal.siemens.com/productcert/html/ssa-763474.html |
| Siemens–SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the device to trigger reboot that could cause denial of service condition. | 2025-12-09 | 4.6 | CVE-2025-40939 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens–SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application exhibits inconsistent SNMP behavior, such as unexpected service availability and unreliable configuration handling across protocol versions. This could allow an attacker to access sensitive data, potentially leading to a breach of confidentiality. | 2025-12-09 | 4.9 | CVE-2025-40940 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens–SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected devices exposes server information in its responses. This could allow an attacker with network access to gain useful information, increasing the likelihood of targeted attacks. | 2025-12-09 | 4.3 | CVE-2025-40941 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Phoenix Contact–FL SWITCH 2005 | A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected. | 2025-12-09 | 4.3 | CVE-2025-41693 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact–FL SWITCH 2005 | An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | 2025-12-09 | 4.6 | CVE-2025-41696 | https://certvde.com/de/advisories/VDE-2025-071 |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information. | 2025-12-11 | 4.3 | CVE-2025-46266 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| Huawei–HarmonyOS | Permission control vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 4.4 | CVE-2025-58279 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Fortinet–FortiWeb | A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests | 2025-12-09 | 4.4 | CVE-2025-64471 | https://fortiguard.fortinet.com/psirt/FG-IR-25-984 |
| Enalean–tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10. | 2025-12-08 | 4.6 | CVE-2025-64498 | https://github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg https://github.com/Enalean/tuleap/commit/993316dd6a291bb3937cb7a4571eaab0e7d55370 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=993316dd6a291bb3937cb7a4571eaab0e7d55370 https://tuleap.net/plugins/tracker/?aid=45593 |
| Enalean–tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10. | 2025-12-08 | 4.6 | CVE-2025-64499 | https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526 https://tuleap.net/plugins/tracker/?aid=45592 |
| Enalean–tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8. | 2025-12-08 | 4.6 | CVE-2025-64760 | https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 https://tuleap.net/plugins/tracker/?aid=45618 |
| Adobe–Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 4.8 | CVE-2025-64872 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe–ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction. | 2025-12-09 | 4.3 | CVE-2025-64898 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Enalean–tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9. | 2025-12-08 | 4.6 | CVE-2025-65962 | https://github.com/Enalean/tuleap/security/advisories/GHSA-9hgc-cm68-rrgc https://github.com/Enalean/tuleap/commit/26678c5b411042e68964b199bf88a44607550633 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=26678c5b411042e68964b199bf88a44607550633 https://tuleap.net/plugins/tracker/?aid=45632 |
| Huawei–HarmonyOS | Permission control vulnerability in the window management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 4 | CVE-2025-66329 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | App lock verification bypass vulnerability in the file management app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 4.9 | CVE-2025-66330 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| umbraco–Umbraco-CMS | Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents. In certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. This issue is fixed in version 13.12.1. | 2025-12-09 | 4.9 | CVE-2025-66625 | https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615 |
| LabRedesCefetRJ–WeGIA | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5. | 2025-12-09 | 4.3 | CVE-2025-67496 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9843-qm67-73h2 https://github.com/LabRedesCefetRJ/WeGIA/commit/c80b8cacd310fd459df61c030fb267c5e68cafc7 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.5.5 |
| CISA–Software Acquisition Guide Tool | The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user’s browser when the user submits the page (clicks ‘Next’). | 2025-12-12 | 4.4 | CVE-2025-67634 | url url url |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute | 2025-12-11 | 4.8 | CVE-2025-67741 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| SpaceX–Starlink Dish | SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker’s ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish. | 2025-12-11 | 4.2 | CVE-2025-67780 | https://www.akawlabs.com/blog/starlink-grpc-execution |
| MJML–MJML | MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type=”css” case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827. | 2025-12-14 | 4.5 | CVE-2025-67898 | https://github.com/mjmlio/mjml/issues/3018 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| emrevona–WP Fastest Cache | The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the ‘get_server_time_ajax_request’ AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-12 | 3.5 | CVE-2025-10583 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e64c54-a78f-454a-a9ee-02f64b6ae83d?source=cve https://research.cleantalk.org/2025-10583 https://www.wpfastestcache.com/changelog/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to leak sensitive information from specifically crafted merge request titles. | 2025-12-11 | 3.5 | CVE-2025-12734 | GitLab Issue #579573 HackerOne Bug Bounty Report #3379381 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| TAC Information Services Internal and External Trade Inc.–GoldenHorn | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS). This issue affects GoldenHorn: before 4.25.1121.1. | 2025-12-10 | 3.5 | CVE-2025-13127 | https://www.usom.gov.tr/bildirim/tr-25-0441 |
| SourceCodester–Online Banking System | A vulnerability was detected in SourceCodester Online Banking System 1.0. This impacts an unknown function of the file /?page=user. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | 2025-12-08 | 3.5 | CVE-2025-14221 | VDB-334663 | SourceCodester Online Banking System page cross site scripting VDB-334663 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701624 | SourceCodester Online Banking System July 14, 2021 – 17:13 Cross Site Scripting https://mega.nz/file/T4hjCagS#87U1JgRHZWzXW2HTpBIG-H9dJ_w9kUERmaaQqJyB5_Q https://www.sourcecodester.com/ |
| Yealink–SIP-T21P E2 | A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. Impacted is an unknown function of the component Local Directory Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 3.5 | CVE-2025-14228 | VDB-334670 | Yealink SIP-T21P E2 Local Directory cross site scripting VDB-334670 | CTI Indicators (IOB, IOC, TTP) Submit #701949 | Yealink T21P_2E 52.84.0.15 Cross Site Scripting https://drive.google.com/file/d/1vptRtEeoS1AZgnqow1yPrsgsBkw4jXc2/view?usp=sharing |
| baowzh–hfly | A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 3.5 | CVE-2025-14519 | VDB-335857 | baowzh hfly advtext add cross site scripting VDB-335857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702943 | GitHub hfly 1.0 Stored Cross-Site Scripting https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20advtext%20add%20Stored%20Cross-Site%20Scripting(XSS).md |
| yangshare–warehouseManager | A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0. This affects the function addCustomer of the file CustomerManageHandler.java. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-11 | 3.5 | CVE-2025-14538 | VDB-335877 | yangshare warehouseManager 仓库管理系统 CustomerManageHandler.java addCustomer cross site scripting VDB-335877 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703736 | gitee WarehouseManager v1.1.0 – Remove CAPTCHA Improper Neutralization of Alternate XSS Syntax https://gitee.com/yangshare/warehouseManager/issues/ID9NAU |
| n/a–Qualitor | A security vulnerability has been detected in Qualitor up to 8.24.73. The impacted element is an unknown function of the file /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php. Such manipulation of the argument cdscript leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component. The vendor confirms the existence of the issue: “We became aware of the issue through an earlier direct notification from the original reporter, and our engineering team promptly investigated and implemented the necessary corrective measures. (…) Updated versions containing the fix have already been provided to our customer base”. | 2025-12-12 | 3.5 | CVE-2025-14580 | VDB-336201 | Qualitor viewDocumento.php cross site scripting VDB-336201 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705193 | Qualitor 8.20.77 – 8.24.73 Cross Site Scripting |
| Tenda–AX9 | A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. | 2025-12-13 | 3.7 | CVE-2025-14636 | VDB-336361 | Tenda AX9 httpd image_check weak hash VDB-336361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707213 | Tenda AX9 V22.03.01.46 CWE-327 Use of a Broken or Risky Cryptographic Algorithm https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/AX9_Inte.md https://www.tenda.com.cn/ |
| MartialBE–one-hub | A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION_SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The code maintainer recommends (translated from Chinese): “The default docker-compose example file is not recommended for production use. If you intend to use it in production, please carefully check and modify every configuration and environment variable yourself!” | 2025-12-14 | 3.7 | CVE-2025-14651 | VDB-336384 | MartialBE one-hub docker-compose.yml hard-coded key VDB-336384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710249 | https://github.com/MartialBE https://github.com/MartialBE/one-hub ≤ v0.14.27 Authentication Bypass by Primary Weakness https://github.com/MartialBE/one-hub/issues/872 https://github.com/MartialBE/one-hub/issues/872#issuecomment-3616033169 https://github.com/MartialBE/one-hub/blob/main/docker-compose.yml#L15C24-L15C38 |
| Siemens–SINEMA Remote Connect Server | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications contain private SSL/TLS keys on the server that are not properly protected allowing any user with server access to read these keys. This could allow an authenticated attacker to impersonate the server potentially enabling man-in-the-middle, traffic decryption or unauthorized access to services that trust these certificates. | 2025-12-09 | 3.3 | CVE-2025-40818 | https://cert-portal.siemens.com/productcert/html/ssa-626856.html |
| Adobe–Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited unauthorized write access. Exploitation of this issue does not require user interaction. | 2025-12-09 | 3.3 | CVE-2025-64786 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Adobe–Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass cryptographic protections and gain limited unauthorized write access. Exploitation of this issue does not require user interaction. | 2025-12-09 | 3.3 | CVE-2025-64787 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Huawei–HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66331 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66332 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66333 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei–HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66334 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3. | 2025-12-09 | 3.7 | CVE-2025-67500 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8 https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f |
| Telepedia–TableProgressTracking | TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the extension enabled, would trigger unintended authenticated actions through the victim’s browser. Due to the lack of token validation, an attacker can delete or track progress against tables. This issue is patched in version 1.2.1 of the extension. | 2025-12-10 | 3.5 | CVE-2025-67646 | https://github.com/Telepedia/TableProgressTracking/security/advisories/GHSA-j24f-hw6w-cq78 https://github.com/Telepedia/TableProgressTracking/commit/e2aa8c4b3bb78989c6fe39070a95a26d22b91c94 |
| AzuraCast–AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station’s operations can craft a custom HTTP request that would affect the contents of a station’s database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2. | 2025-12-12 | 3.1 | CVE-2025-67737 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-9449-rphm-mjqr https://github.com/AzuraCast/AzuraCast/commit/34620dbad93f6cd8e209a4220e3e53c7c5fea844 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure | 2025-12-11 | 3.1 | CVE-2025-67739 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 path traversal was possible via file upload | 2025-12-11 | 3.8 | CVE-2025-67742 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| rtcamp–rtMedia for WordPress, BuddyPress and bbPress | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts. | 2025-12-13 | 3.7 | CVE-2025-9218 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a263-757b018af129?source=cve https://wordpress.org/plugins/buddypress-media/#developers https://plugins.trac.wordpress.org/changeset/3386907/buddypress-media/tags/4.7.4/app/main/controllers/api/RTMediaJsonApi.php |
| IBM–IBM QRadar SIEM | IBM QRadar SIEM 7.5 – 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information. IBM has addressed this vulnerability in the latest update. | 2025-12-09 | 2.7 | CVE-2024-56464 | https://www.ibm.com/support/pages/node/7253664 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | 2025-12-10 | 2.7 | CVE-2025-14082 | https://access.redhat.com/security/cve/CVE-2025-14082 RHBZ#2419078 |
| n/a–GreenCMS | A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 2.4 | CVE-2025-14244 | VDB-334754 | GreenCMS Menu Management CustomController.class.php cross site scripting VDB-334754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702435 | GreenCMS 2.3.0603 CWE-79 – Cross-site Scripting https://gist.github.com/b1uel0n3/83f9965b3499a2abfee30c77458f718a |
| code-projects–Student File Management System | A vulnerability was found in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php of the component Update User Page. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-14 | 2.4 | CVE-2025-14662 | VDB-336394 | code-projects Student File Management System Update User update_user.php cross site scripting VDB-336394 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713873 | Code-projects Student File Management System v1.0 Stored XSS vulnerability https://github.com/jjjjj-zr/jjjjjzr15/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 2.4 | CVE-2025-14663 | VDB-336395 | code-projects Student File Management System update_student.php cross site scripting VDB-336395 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714018 | Code-projects Student File Management System v1.0 Stored XSS vulnerability https://github.com/jjjjj-zr/jjjjjzr16/issues/1 https://code-projects.org/ |
| IBM–Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security. | 2025-12-08 | 2.7 | CVE-2025-36102 | https://www.ibm.com/support/pages/node/7253273 |
| Fortinet–FortiAuthenticator | A direct request (‘forced browsing’) vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints | 2025-12-09 | 2.6 | CVE-2025-57823 | https://fortiguard.fortinet.com/psirt/FG-IR-25-554 |
| Fortinet–FortiAuthenticator | An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators’ messaging services via crafted requests. | 2025-12-09 | 2.6 | CVE-2025-59923 | https://fortiguard.fortinet.com/psirt/FG-IR-25-616 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token’s metadata | 2025-12-11 | 2.7 | CVE-2025-67740 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| uriparser project–uriparser | uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. | 2025-12-14 | 2.9 | CVE-2025-67899 | https://github.com/uriparser/uriparser/issues/282 https://github.com/uriparser/uriparser/pull/284 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| MIYAGAWA–Plack::Middleware::Session | Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks | 2025-12-09 | not yet calculated | CVE-2013-10031 | https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4 |
| SpenetiX AG–Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests. | 2025-12-10 | not yet calculated | CVE-2020-36883 | ExploitDB-48844 Official Product Homepage Zero Science Lab Disclosure ZSL-2020-5594 Mbed TLS GitHub Repository VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations |
| BrightSign, LLC–BrightSign Digital Signage Diagnostic Web Server | BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the ‘url’ GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts. | 2025-12-10 | not yet calculated | CVE-2020-36884 | ExploitDB-48843 BrightSign Homepage Zero Science Lab Disclosure Zero Science GitHub Repository VulnCheck Advisory: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF |
| Sony Electronics Inc.–IPELA Network Camera | Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code. Attackers can exploit the vulnerability by sending a crafted POST request with oversized data to the FTP client functionality, potentially causing remote code execution or denial of service. | 2025-12-10 | not yet calculated | CVE-2020-36885 | ExploitDB-48842 Fixed in 1.88.0.0 Zero Science Lab Disclosure Product web page VulnCheck Advisory: Sony IPELA Network Camera 1.82.01 Remote Stack Buffer Overflow via ftpclient.cgi |
| SpenetiX AG–Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page. | 2025-12-10 | not yet calculated | CVE-2020-36886 | ExploitDB-48846 Official Product Homepage Zero Science Lab Disclosure ZSL-2020-5592 Product Homepage VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Cross-Site Request Forgery via User Creation |
| SpinetiX AG–Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information. | 2025-12-10 | not yet calculated | CVE-2020-36887 | ExploitDB-48845 Official Product Homepage Vendor Security Advisory for ZSL-2020-5593 VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Unauthenticated Database Backup Disclosure |
| SpenetiX AG–Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server’s error responses. | 2025-12-10 | not yet calculated | CVE-2020-36888 | ExploitDB-48847 Official Product Homepage Vendor Security Advisory for ZSL-2020-5591 VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration via Login Script |
| EIBIZ Co.,Ltd.–i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication. | 2025-12-10 | not yet calculated | CVE-2020-36892 | ExploitDB-48774 Vulnerability Advisory Reference VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Unauthenticated Privilege Escalation |
| EIBIZ Co.,Ltd.–i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server’s root directory. Attackers can exploit the ‘oldfile’ GET parameter to view sensitive configuration files like web.xml and system files such as win.ini. | 2025-12-10 | not yet calculated | CVE-2020-36893 | ExploitDB-48766 EIBIZ Co.,Ltd. Product Web Page Zero Science Advisory ID ZSL-2020-5585 VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Directory Traversal Vulnerability |
| EIBIZ Co.,Ltd.–i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls. | 2025-12-10 | not yet calculated | CVE-2020-36894 | ExploitDB-48763 Vulnerability Advisory Reference VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Unauthenticated User Creation Vulnerability |
| EIBIZ Co.,Ltd.–i-Media Server Digital Signage | EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information. | 2025-12-10 | not yet calculated | CVE-2020-36895 | ExploitDB-48764 EIBIZ Co.,Ltd. Product Homepage Zero Security Advisory ZSL-2020-5583 VulnCheck Advisory: EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure |
| Shenzhen Xingmeng Qihang Media Co., Ltd.Guangzhou Hefeng Automation Technology Co., Ltd.–QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the ‘/xml/User/User.xml’ file, enabling direct authentication bypass. | 2025-12-10 | not yet calculated | CVE-2020-36896 | ExploitDB-48748 Official Product Homepage Vendor Security Advisory for ZSL-2020-5579 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cleartext Credentials Disclosure |
| Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.–QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the ‘remotePath’ and ‘fileToUpload’ parameters to write and execute arbitrary system commands on the server. | 2025-12-10 | not yet calculated | CVE-2020-36897 | ExploitDB-48751 Official Product Homepage Vendor Security Advisory for ZSL-2020-5582 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Remote Code Execution |
| Shenzhen Xingmeng Qihang Media Co., Ltd.Guangzhou Hefeng Automation Technology Co., Ltd.–QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the ‘data’ parameter by sending a POST request with file paths to delete arbitrary files with web server permissions using directory traversal sequences. | 2025-12-10 | not yet calculated | CVE-2020-36898 | ExploitDB-48749 Official Product Homepage Vendor Security Advisory for ZSL-2020-5580 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion |
| Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.–QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified ‘filename’ and ‘path’ parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions. | 2025-12-10 | not yet calculated | CVE-2020-36899 | ExploitDB-48750 Official Product Homepage Vendor Security Advisory for ZSL-2020-5581 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure |
| All-Dynamics Software GmbH–Digital Signage System | All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft a malicious web page that automatically submits forms to create a new user with global administrative privileges when a logged-in user visits the page. | 2025-12-10 | not yet calculated | CVE-2020-36900 | ExploitDB-48736 Zero Science Advisory ID ZSL-2020-5576 All-Dynamics Software GmbH Homepage VulnCheck Advisory: All-Dynamics Digital Signage System 2.0.2 Cross-Site Request Forgery via User Management |
| UBICOD Co., Ltd. | MEDIVISION INC.–UBICOD Medivision Digital Signage | UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | 2025-12-10 | not yet calculated | CVE-2020-36901 | ExploitDB-48694 UBICOD Medivision Digital Signage Product Homepage Zero Science Advisory for ZSL-2020-5574 VulnCheck Advisory: UBICOD Medivision Digital Signage 1.5.1 Cross-Site Request Forgery via User Management |
| UBICOD Co., Ltd. | MEDIVISION INC.–UBICOD Medivision Digital Signage | UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the ‘ft[grp]’ parameter. Attackers can send a GET request to /html/user with ‘ft[grp]’ set to integer value ‘3’ to gain super admin rights without authentication. | 2025-12-10 | not yet calculated | CVE-2020-36902 | ExploitDB-48684 UBICOD Co., Ltd. | MEDIVISION INC. Zero Security Advisory ZSL-2020-5575 VulnCheck Advisory: UBICOD Medivision Digital Signage 1.5.1 Authorization Bypass via User Privileges |
| OPEN BMCS–OpenBMCS | OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script. Attackers can submit a malicious HTTP POST request to PHP scripts in ‘/plugins/useradmin/’ directory. | 2025-12-09 | not yet calculated | CVE-2021-47701 | ExploitDB-50669 Zero Science Lab Disclosure (ZSL-2022-5693) VulnCheck Advisory: OpenBMCS User Management Privilege Escalation |
| OPEN BMCS–OpenBMCS | OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings. | 2025-12-09 | not yet calculated | CVE-2021-47702 | ExploitDB-50667 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5691) VulnCheck Advisory: OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php |
| OPEN BMCS–OpenBMCS | OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the ‘ip’ parameter to force the application to make an HTTP request to an arbitrary destination host. | 2025-12-09 | not yet calculated | CVE-2021-47703 | ExploitDB-50670 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5694) VulnCheck Advisory: OpenBMCS Server Side Request Forgery (SSRF) via /php/query.php |
| OPEN BMCS–OpenBMCS | OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious ‘id’ values to extract database information. | 2025-12-09 | not yet calculated | CVE-2021-47704 | ExploitDB-50668 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5692) VulnCheck Advisory: OpenBMCS SQL Injection via obix_test.php |
| COMMAX Co., Ltd.–COMMAX UMS Client ActiveX Control | COMMAX UMS Client ActiveX Control 1.7.0.2 contains a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. Attackers can exploit improper boundary validation in CNC_Ctrl.dll to cause heap corruption and potentially gain system-level access. | 2025-12-09 | not yet calculated | CVE-2021-47705 | ExploitDB-50232 Zero Science Lab Disclosure (ZSL-2021-5664) Reference VulnCheck Advisory: CNC_Ctrl DllUnregisterServer Access Violation |
| COMMAX Co., Ltd.–COMMAX Biometric Access Control System | COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information. | 2025-12-09 | not yet calculated | CVE-2021-47706 | ExploitDB-50206 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5661) COMMAX Biometric Access Control System 1.0.0 Product Page VulnCheck Advisory: COMMAX Biometric Access Control System Authentication Bypass |
| COMMAX Co., Ltd.–COMMAX CVD-Axx DVR | COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the ‘passkey’ parameter set to ‘1234’, allowing them to access the web control panel. | 2025-12-09 | not yet calculated | CVE-2021-47707 | ExploitDB-50210 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5667) VulnCheck Advisory: COMMAX CVD-Axx DVR Weak Default Credentials Stream Disclosure |
| COMMAX Co., Ltd.–Smart Home IoT Control System | COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the ‘id’ parameter in ‘loginstart.asp’. Attackers can exploit this by sending a POST request with malicious ‘id’ values to manipulate database queries and gain unauthorized access. | 2025-12-09 | not yet calculated | CVE-2021-47708 | ExploitDB-50207 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5662) Zero Science GitHub Repository VulnCheck Advisory: COMMAX Smart Home IoT Control System SQL Injection Authentication Bypass |
| COMMAX Co., Ltd.–Smart Home Ruvie CCTV Bridge DVR Service | COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. Attackers can trigger a denial-of-service scenario by sending a malformed request to the setconf endpoint. | 2025-12-09 | not yet calculated | CVE-2021-47709 | ExploitDB-50209 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5666) VulnCheck Advisory: COMMAX Smart Home Ruvie CCTV Bridge DVR Service Config Write / DoS |
| COMMAX Co., Ltd.–Smart Home Ruvie CCTV Bridge DVR Service | COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. Attackers can access sensitive information, including login credentials and DVR settings, by submitting a GET request to this endpoint. | 2025-12-09 | not yet calculated | CVE-2021-47710 | ExploitDB-50208 COMMAX Homepage Zero Science Lab Disclosure (ZSL-2021-5665) VulnCheck Advisory: COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure |
| IntelliChoice–IntelliChoice eFORCE Software Suite | IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the ‘ctl00$MainContent$UserName’ POST parameter. Attackers can send requests with valid usernames to retrieve user information. | 2025-12-09 | not yet calculated | CVE-2021-47717 | ExploitDB-50164 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5658) VulnCheck Advisory: IntelliChoice eFORCE Software Suite Username Enumeration |
| OPEN BMCS–OpenBMCS | OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information. | 2025-12-09 | not yet calculated | CVE-2021-47718 | ExploitDB-50671 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5695) VulnCheck Advisory: OpenBMCS Directory Listing Information Disclosure |
| COMMAX Co., Ltd.–COMMAX WebViewer ActiveX Control | COMMAX WebViewer ActiveX Control 2.1.4.5 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. Attackers can exploit boundary errors in Commax_WebViewer.ocx to cause buffer overflow conditions and potentially gain code execution. | 2025-12-09 | not yet calculated | CVE-2021-47719 | ExploitDB-50231 Zero Science Lab Disclosure (ZSL-2021-5663) Reference VulnCheck Advisory: CNC_Ctrl DllUnregisterServer f5501 Access Violation |
| STVS SA–STVS ProVision | STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users. | 2025-12-09 | not yet calculated | CVE-2021-47723 | ExploitDB-49482 STVS SA Homepage Zero Science Lab Disclosure (ZSL-2021-5625) VulnCheck Advisory: STVS ProVision Cross-Site Request Forgery (Add Admin) |
| STVS SA–STVS ProVision | STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. Attackers can send GET requests to /archive/download with directory traversal sequences to read sensitive system files like /etc/passwd. | 2025-12-09 | not yet calculated | CVE-2021-47724 | ExploitDB-49481 Zero Science Lab Disclosure (ZSL-2021-5623) Reference VulnCheck Advisory: STVS ProVision Authenticated File Disclosure via archive.rb |
| Selea s.r.l.–Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage. | 2025-12-09 | not yet calculated | CVE-2021-47727 | ExploitDB-49459 Selea s.r.l. Product Homepage Zero Science Lab Disclosure (ZSL-2021-5619) Mbed TLS GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Unauthenticated Stream Disclosure |
| Selea–Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the ‘addr’ and ‘port’ parameters to inject commands and gain www-data user access through chained local file inclusion techniques. | 2025-12-09 | not yet calculated | CVE-2021-47728 | ExploitDB-49460 Selea Homepage Zero Science Lab Disclosure (ZSL-2021-5620) Zero Science GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Remote Code Execution via Utils |
| selea s.r.l.–Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the ‘files_list’ parameter that allows attackers to inject malicious HTML and script code. Attackers can send a POST request to /cgi-bin/get_file.php with crafted payload to execute arbitrary scripts in victim’s browser session. | 2025-12-09 | not yet calculated | CVE-2021-47729 | ExploitDB-49454 Selea s.r.l. Product Homepage Zero Science Lab Disclosure (ZSL-2021-5614) Selea Targa IP OCR-ANPR Camera Product Page VulnCheck Advisory: Selea Targa IP Camera Stored Cross-Site Scripting via Files List |
| Selea s.r.l.–Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page. | 2025-12-09 | not yet calculated | CVE-2021-47730 | ExploitDB-49458 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5618) GitHub Repository of Zero Science VulnCheck Advisory: Selea Targa IP Camera Cross-Site Request Forgery via Admin Creation |
| Selea s.r.l.–Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password ‘Selea781830’ to enable configuration upload and overwrite device settings. | 2025-12-09 | not yet calculated | CVE-2021-47731 | ExploitDB-49455 Selea s.r.l. Product Web Page Zero Science Lab Disclosure (ZSL-2021-5615) Zero Science GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Developer Backdoor Configuration Overwrite |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid0, raid10: Don’t set discard sectors for request queue It should use disk_stack_limits to get a proper max_discard_sectors rather than setting a value by stack drivers. And there is a bug. If all member disks are rotational devices, raid0/raid10 set max_discard_sectors. So the member devices are not ssd/nvme, but raid0/raid10 export the wrong value. It reports warning messages in function __blkdev_issue_discard when mkfs.xfs like this: [ 4616.022599] ————[ cut here ]———— [ 4616.027779] WARNING: CPU: 4 PID: 99634 at block/blk-lib.c:50 __blkdev_issue_discard+0x16a/0x1a0 [ 4616.140663] RIP: 0010:__blkdev_issue_discard+0x16a/0x1a0 [ 4616.146601] Code: 24 4c 89 20 31 c0 e9 fe fe ff ff c1 e8 09 8d 48 ff 4c 89 f0 4c 09 e8 48 85 c1 0f 84 55 ff ff ff b8 ea ff ff ff e9 df fe ff ff <0f> 0b 48 8d 74 24 08 e8 ea d6 00 00 48 c7 c6 20 1e 89 ab 48 c7 c7 [ 4616.167567] RSP: 0018:ffffaab88cbffca8 EFLAGS: 00010246 [ 4616.173406] RAX: ffff9ba1f9e44678 RBX: 0000000000000000 RCX: ffff9ba1c9792080 [ 4616.181376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ba1c9792080 [ 4616.189345] RBP: 0000000000000cc0 R08: ffffaab88cbffd10 R09: 0000000000000000 [ 4616.197317] R10: 0000000000000012 R11: 0000000000000000 R12: 0000000000000000 [ 4616.205288] R13: 0000000000400000 R14: 0000000000000cc0 R15: ffff9ba1c9792080 [ 4616.213259] FS: 00007f9a5534e980(0000) GS:ffff9ba1b7c80000(0000) knlGS:0000000000000000 [ 4616.222298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4616.228719] CR2: 000055a390a4c518 CR3: 0000000123e40006 CR4: 00000000001706e0 [ 4616.236689] Call Trace: [ 4616.239428] blkdev_issue_discard+0x52/0xb0 [ 4616.244108] blkdev_common_ioctl+0x43c/0xa00 [ 4616.248883] blkdev_ioctl+0x116/0x280 [ 4616.252977] __x64_sys_ioctl+0x8a/0xc0 [ 4616.257163] do_syscall_64+0x5c/0x90 [ 4616.261164] ? handle_mm_fault+0xc5/0x2a0 [ 4616.265652] ? do_user_addr_fault+0x1d8/0x690 [ 4616.270527] ? do_syscall_64+0x69/0x90 [ 4616.274717] ? exc_page_fault+0x62/0x150 [ 4616.279097] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 4616.284748] RIP: 0033:0x7f9a55398c6b | 2025-12-08 | not yet calculated | CVE-2022-50583 | https://git.kernel.org/stable/c/e80bef070699d2e791badefccb1ddabd6998d468 https://git.kernel.org/stable/c/27e5d61a8e6919b5c0c6f473703ffea2acba862a https://git.kernel.org/stable/c/8e1a2279ca2b0485cc379a153d02a9793f74a48f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic The dma_map_single() doesn’t permit zero length mapping. It causes a follow panic. A panic was reported on arm64: [ 60.137988] ————[ cut here ]———— [ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! [ 60.147508] Internal error: Oops – BUG: 0 [#1] PREEMPT SMP [ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l 2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl [ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237 [ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) [ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590 [ 60.213149] lr : swiotlb_map+0x88/0x1f0 [ 60.216982] sp : ffff80000a883bc0 [ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000 [ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0 [ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000 [ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000 [ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180 [ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000 [ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000 [ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001 [ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010 [ 60.291658] Call trace: [ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590 [ 60.298629] swiotlb_map+0x88/0x1f0 [ 60.302115] dma_map_page_attrs+0x188/0x230 [ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test] [ 60.312660] __arm64_sys_ioctl+0xa8/0xf0 [ 60.316583] invoke_syscall+0x44/0x108 [ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0 [ 60.325038] do_el0_svc+0x2c/0xb8 [ 60.328351] el0_svc+0x2c/0x88 [ 60.331406] el0t_64_sync_handler+0xb8/0xc0 [ 60.335587] el0t_64_sync+0x18c/0x190 [ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000) [ 60.345344] —[ end trace 0000000000000000 ]— To fix it, this patch adds a checking the payload length if it is zero. | 2025-12-08 | not yet calculated | CVE-2022-50614 | https://git.kernel.org/stable/c/0df206bdc6204b758585bbe159a55e23e7917b13 https://git.kernel.org/stable/c/e5ebcbb4f967af2083d409271aaf7c7d8351603f https://git.kernel.org/stable/c/279116cb0bc5cd8af65d6a00ffe074bd09842f88 https://git.kernel.org/stable/c/6c01739c2aba19553beb20491b05515af9246f0f https://git.kernel.org/stable/c/8e30538eca016de8e252bef174beadecd64239f0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its reference count increased. We need to call pci_dev_put() to decrease the reference count. Let’s add the missing pci_dev_put(). | 2025-12-08 | not yet calculated | CVE-2022-50615 | https://git.kernel.org/stable/c/d2afced51108813256d8072c6e464b0c9f0bb890 https://git.kernel.org/stable/c/433bd587dca5c3f7157fef2fe571290cd392cbf6 https://git.kernel.org/stable/c/a67146437b6428069b71a7e5e740a2a8e1c40ac9 https://git.kernel.org/stable/c/dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800 https://git.kernel.org/stable/c/8ebd16c11c346751b3944d708e6c181ed4746c39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: Use different devices for resource allocation and DT lookup Following by the below discussion, there’s the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/ From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register() It’s common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device. To fix it, this patch expand ‘regulator_register’ API to use the different devices for init data allocation and DT lookup. | 2025-12-08 | not yet calculated | CVE-2022-50616 | https://git.kernel.org/stable/c/cb29811d989bcb7ea81ca111c4b13878b344e086 https://git.kernel.org/stable/c/b0f25ca1ff9be7abd1679ae7e59a8f25dbffe67a https://git.kernel.org/stable/c/8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: Fix memory leak in power state init Commit 902bc65de0b3 (“drm/amdgpu/powerplay/psm: return an error in power state init”) made the power state init function return early in case of failure to get an entry from the powerplay table, but it missed to clean up the allocated memory for the current power state before returning. | 2025-12-08 | not yet calculated | CVE-2022-50617 | https://git.kernel.org/stable/c/1caed03305b560bafea8eaa57f1847791658b3ff https://git.kernel.org/stable/c/7cb8932644438bee992dc898a36ffe155fdc1bfa https://git.kernel.org/stable/c/1c65f8f98148709e08bd6157a807c443ba91f0ac https://git.kernel.org/stable/c/8f8033d5663b18e6efb33feb61f2287a04605ab5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it’s not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-08 | not yet calculated | CVE-2022-50618 | https://git.kernel.org/stable/c/f5506e0bbb25102bd8ef2e1a3b483a0b934e454e https://git.kernel.org/stable/c/9e11c6bb745be4e9b325cf96031b4ea34801342d https://git.kernel.org/stable/c/64b2c441171febf075bd9632aca579afda8ab9fb https://git.kernel.org/stable/c/e0cfe7aa41f3965f5224affd88afd48c60f6ad1f https://git.kernel.org/stable/c/42343e3c6195e934b9cb4c08b7ff84a3778d77f9 https://git.kernel.org/stable/c/f5ce76aeddf01ca8f2a80fc37119388d59db7c10 https://git.kernel.org/stable/c/90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr() If the number of pages from the userptr BO differs from the SG BO then the allocated memory for the SG table doesn’t get freed before returning -EINVAL, which may lead to a memory leak in some error paths. Fix this by checking the number of pages before allocating memory for the SG table. | 2025-12-08 | not yet calculated | CVE-2022-50619 | https://git.kernel.org/stable/c/304a10161696d86300ceab1cbe72b2d74b8cdd94 https://git.kernel.org/stable/c/c6dc4c9ba093829ebe1450d5fb101da6fb7a2a58 https://git.kernel.org/stable/c/90bfee142af0f0e9d3bec80e7acd5f49b230acf7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to invalidate dcc->f2fs_issue_discard in error path Syzbot reports a NULL pointer dereference issue as below: __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:110 [inline] kthread_stop+0x34/0x1c0 kernel/kthread.c:703 f2fs_stop_discard_thread+0x3c/0x5c fs/f2fs/segment.c:1638 kill_f2fs_super+0x5c/0x194 fs/f2fs/super.c:4522 deactivate_locked_super+0x70/0xe8 fs/super.c:332 deactivate_super+0xd0/0xd4 fs/super.c:363 cleanup_mnt+0x1f8/0x234 fs/namespace.c:1186 __cleanup_mnt+0x20/0x30 fs/namespace.c:1193 task_work_run+0xc4/0x14c kernel/task_work.c:177 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x26c/0xbe0 kernel/exit.c:795 do_group_exit+0x60/0xe8 kernel/exit.c:925 __do_sys_exit_group kernel/exit.c:936 [inline] __se_sys_exit_group kernel/exit.c:934 [inline] __wake_up_parent+0x0/0x40 kernel/exit.c:934 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 The root cause of this issue is in error path of f2fs_start_discard_thread(), it missed to invalidate dcc->f2fs_issue_discard, later kthread_stop() may access invalid pointer. | 2025-12-08 | not yet calculated | CVE-2022-50620 | https://git.kernel.org/stable/c/865bb7b5a7deeb0e5afbd82381d52d38825dc64d https://git.kernel.org/stable/c/a3e517a6ba695d683ee63615e1ea6e6b4c7d2732 https://git.kernel.org/stable/c/ae6c960a82c52c3bda5adc82d90643d6c12d308e https://git.kernel.org/stable/c/91586ce0d39a05f88795aa8814fb99b1387236b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: verity-loadpin: Only trust verity targets with enforcement Verity targets can be configured to ignore corrupted data blocks. LoadPin must only trust verity targets that are configured to perform some kind of enforcement when data corruption is detected, like returning an error, restarting the system or triggering a panic. | 2025-12-08 | not yet calculated | CVE-2022-50621 | https://git.kernel.org/stable/c/cb1f5b76e39d86c98722696bdf632987aa777b83 https://git.kernel.org/stable/c/916ef6232cc4b84db7082b4c3d3cf1753d9462ba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak in ext4_fc_record_modified_inode() As krealloc may return NULL, in this case ‘state->fc_modified_inodes’ may not be freed by krealloc, but ‘state->fc_modified_inodes’ already set NULL. Then will lead to ‘state->fc_modified_inodes’ memory leak. | 2025-12-08 | not yet calculated | CVE-2022-50622 | https://git.kernel.org/stable/c/c9ce7766dc4e88e624c62a68221a3bbe8f06e856 https://git.kernel.org/stable/c/9b5eb368a86f97eb9831f5b53b8e43ec69bc7cd4 https://git.kernel.org/stable/c/c0be17635f039f864b1108efec0015c73736e414 https://git.kernel.org/stable/c/24d39affc6be1acf6df86a8c3e2413b8a73749c7 https://git.kernel.org/stable/c/9305721a309fa1bd7c194e0d4a2335bf3b29dca4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The “hdr.count * sizeof(s32)” multiplication can overflow on 32 bit systems leading to memory corruption. Use array_size() to fix that. | 2025-12-08 | not yet calculated | CVE-2022-50623 | https://git.kernel.org/stable/c/f59861946fa51bcc1f305809e4ebc1013b0ee61c https://git.kernel.org/stable/c/b94605f5cb99e90c8ca91523597a40e1bd59546b https://git.kernel.org/stable/c/1b5a931594f7ffd26d706614c37d4da0f2ffb6e7 https://git.kernel.org/stable/c/940253af8b3865b76de8d1b46bcd4a700104852e https://git.kernel.org/stable/c/939bc5453b8cbdde9f1e5110ce8309aedb1b501a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: netsec: fix error handling in netsec_register_mdio() If phy_device_register() fails, phy_device_free() need be called to put refcount, so memory of phy device and device name can be freed in callback function. If get_phy_device() fails, mdiobus_unregister() need be called, or it will cause warning in mdiobus_free() and kobject is leaked. | 2025-12-08 | not yet calculated | CVE-2022-50624 | https://git.kernel.org/stable/c/728884b22d83148a330b23f9472f1e118b589211 https://git.kernel.org/stable/c/fda2d07234a21be4d71ebfe97a45f499726902d6 https://git.kernel.org/stable/c/62f0a08e82a6312efd7df7f595c0b11d4ffde610 https://git.kernel.org/stable/c/1e0bee973ef6fc3c1e3acb014515eaea37c8fa17 https://git.kernel.org/stable/c/846e677daf51220d7975c61a20e440a88473951e https://git.kernel.org/stable/c/94423589689124e8cd145b38a1034be7f25835b2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter “B Generic UART” in “ARM Server Base System Architecture” [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA. When the kernel enables DMA engine with “CONFIG_DMA_ENGINE=y”, Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP … Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) —[ end trace 83dd93df15c3216f ]— note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information. [1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html | 2025-12-08 | not yet calculated | CVE-2022-50625 | https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3 https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0 https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48 https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Syzbot reports a memory leak in “dvb_usb_adapter_init()”. The leak is due to not accounting for and freeing current iteration’s adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing “num_adapters_initalized”, which is used as a reference counter to free all adap->priv in “dvb_usb_adapter_exit()”. There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for “dvb_usb_adapter_stream_init()”, “dvb_usb_adapter_dvb_init()” and “dvb_usb_adapter_frontend_init()” within “dvb_usb_adapter_init()”. This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration’s adap->priv is not freed. Fix this by freeing the current iteration’s adap->priv in the “stream_init_err:” label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable. Syzbot report: BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm “kworker/0:2”, pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970 [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 | 2025-12-08 | not yet calculated | CVE-2022-50626 | https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15 https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40 https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239 https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8 https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4 https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8 https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix monitor mode bringup crash When the interface is brought up in monitor mode, it leads to NULL pointer dereference crash. This crash happens when the packet type is extracted for a SKB. This extraction which is present in the received msdu delivery path,is not needed for the monitor ring packets since they are all RAW packets. Hence appending the flags with “RX_FLAG_ONLY_MONITOR” to skip that extraction. Observed calltrace: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000064 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048517000 [0000000000000064] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: ath11k_pci ath11k qmi_helpers CPU: 2 PID: 1781 Comm: napi/-271 Not tainted 6.1.0-rc5-wt-ath-656295-gef907406320c-dirty #6 Hardware name: Qualcomm Technologies, Inc. IPQ8074/AP-HK10-C2 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k] lr : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x5c/0x60 [ath11k] sp : ffff80000ef5bb10 x29: ffff80000ef5bb10 x28: 0000000000000000 x27: ffff000007baafa0 x26: ffff000014a91ed0 x25: 0000000000000000 x24: 0000000000000000 x23: ffff800002b77378 x22: ffff000014a91ec0 x21: ffff000006c8d600 x20: 0000000000000000 x19: ffff800002b77740 x18: 0000000000000006 x17: 736564203634343a x16: 656e694c20657079 x15: 0000000000000143 x14: 00000000ffffffea x13: ffff80000ef5b8b8 x12: ffff80000ef5b8c8 x11: ffff80000a591d30 x10: ffff80000a579d40 x9 : c0000000ffffefff x8 : 0000000000000003 x7 : 0000000000017fe8 x6 : ffff80000a579ce8 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 3a35ec12ed7f8900 x1 : 0000000000000000 x0 : 0000000000000052 Call trace: ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k] ath11k_dp_rx_deliver_msdu.isra.42+0xa4/0x3d0 [ath11k] ath11k_dp_rx_mon_deliver.isra.43+0x2f8/0x458 [ath11k] ath11k_dp_rx_process_mon_rings+0x310/0x4c0 [ath11k] ath11k_dp_service_srng+0x234/0x338 [ath11k] ath11k_pcic_ext_grp_napi_poll+0x30/0xb8 [ath11k] __napi_poll+0x5c/0x190 napi_threaded_poll+0xf0/0x118 kthread+0xf4/0x110 ret_from_fork+0x10/0x20 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2022-50627 | https://git.kernel.org/stable/c/d6ea1ca1d456bb661e5a9d104e69d2c261161115 https://git.kernel.org/stable/c/9089c3080a98f1452335e08b8014a28003a211ce https://git.kernel.org/stable/c/950b43f8bd8a4d476d2da6d2a083a89bcd3c90d7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gud: Fix UBSAN warning UBSAN complains about invalid value for bool: [ 101.165172] [drm] Initialized gud 1.0.0 20200422 for 2-3.2:1.0 on minor 1 [ 101.213360] gud 2-3.2:1.0: [drm] fb1: guddrmfb frame buffer device [ 101.213426] usbcore: registered new interface driver gud [ 101.989431] ================================================================================ [ 101.989441] UBSAN: invalid-load in linux/include/linux/iosys-map.h:253:9 [ 101.989447] load of value 121 is not a valid value for type ‘_Bool’ [ 101.989451] CPU: 1 PID: 455 Comm: kworker/1:6 Not tainted 5.18.0-rc5-gud-5.18-rc5 #3 [ 101.989456] Hardware name: Hewlett-Packard HP EliteBook 820 G1/1991, BIOS L71 Ver. 01.44 04/12/2018 [ 101.989459] Workqueue: events_long gud_flush_work [gud] [ 101.989471] Call Trace: [ 101.989474] <TASK> [ 101.989479] dump_stack_lvl+0x49/0x5f [ 101.989488] dump_stack+0x10/0x12 [ 101.989493] ubsan_epilogue+0x9/0x3b [ 101.989498] __ubsan_handle_load_invalid_value.cold+0x44/0x49 [ 101.989504] dma_buf_vmap.cold+0x38/0x3d [ 101.989511] ? find_busiest_group+0x48/0x300 [ 101.989520] drm_gem_shmem_vmap+0x76/0x1b0 [drm_shmem_helper] [ 101.989528] drm_gem_shmem_object_vmap+0x9/0xb [drm_shmem_helper] [ 101.989535] drm_gem_vmap+0x26/0x60 [drm] [ 101.989594] drm_gem_fb_vmap+0x47/0x150 [drm_kms_helper] [ 101.989630] gud_prep_flush+0xc1/0x710 [gud] [ 101.989639] ? _raw_spin_lock+0x17/0x40 [ 101.989648] gud_flush_work+0x1e0/0x430 [gud] [ 101.989653] ? __switch_to+0x11d/0x470 [ 101.989664] process_one_work+0x21f/0x3f0 [ 101.989673] worker_thread+0x200/0x3e0 [ 101.989679] ? rescuer_thread+0x390/0x390 [ 101.989684] kthread+0xfd/0x130 [ 101.989690] ? kthread_complete_and_exit+0x20/0x20 [ 101.989696] ret_from_fork+0x22/0x30 [ 101.989706] </TASK> [ 101.989708] ================================================================================ The source of this warning is in iosys_map_clear() called from dma_buf_vmap(). It conditionally sets values based on map->is_iomem. The iosys_map variables are allocated uninitialized on the stack leading to ->is_iomem having all kinds of values and not only 0/1. Fix this by zeroing the iosys_map variables. | 2025-12-08 | not yet calculated | CVE-2022-50628 | https://git.kernel.org/stable/c/832f861a46039d50536dcfda0a9fb334b48d0f8b https://git.kernel.org/stable/c/e1078b270d218f8d58efb4d78ea25a4d16ba3490 https://git.kernel.org/stable/c/951df98024f7272f85df5044eca7374f5b5b24ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory leak in rsi_coex_attach() The coex_cb needs to be freed when rsi_create_kthread() failed in rsi_coex_attach(). | 2025-12-08 | not yet calculated | CVE-2022-50629 | https://git.kernel.org/stable/c/98259e0b6cf7f021da9fe4e11fbcce6ad6705ffe https://git.kernel.org/stable/c/fe4d7280cf4ddbea6536b596297c07662c7856fc https://git.kernel.org/stable/c/efc8df970561ff708379b89b348e16d3b410cc7b https://git.kernel.org/stable/c/b56e60b3b158a93bc713437e8e466f401ff8cc9f https://git.kernel.org/stable/c/c4f1ded67a90fb3b2e679e2c90b78921d9246044 https://git.kernel.org/stable/c/ace789b1d465fae104cd37e49f6e1bcd1c8ff417 https://git.kernel.org/stable/c/956fb851a6e19da5ab491e19c1bc323bb2c2cf6f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race, hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <— UAF */ /* unlock vma_lock */ Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let’s drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue. [1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/ | 2025-12-08 | not yet calculated | CVE-2022-50630 | https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29 https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33 https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of fdt buffer This is reported by kmemleak detector: unreferenced object 0xff60000082864000 (size 9588): comm “kexec”, pid 146, jiffies 4294900634 (age 64.788s) hex dump (first 32 bytes): d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ………..H…@ 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 …(………… backtrace: [<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e [<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4 [<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6 [<00000000f01e68b4>] __kmalloc+0x5c2/0x62a [<000000002bd497b2>] kvmalloc_node+0x66/0xd6 [<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea [<00000000e1166bde>] elf_kexec_load+0x206/0x4ec [<0000000036548e09>] kexec_image_load_default+0x40/0x4c [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 [<0000000040c62c03>] ret_from_syscall+0x0/0x2 In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt. While it’s not freed back to system when kexec kernel is reloaded or unloaded. Then memory leak is caused. Fix it by introducing riscv specific function arch_kimage_file_post_load_cleanup(), and freeing the buffer there. | 2025-12-08 | not yet calculated | CVE-2022-50631 | https://git.kernel.org/stable/c/c66ad198b6497dee8f45d7ed5c03629c4525c7d0 https://git.kernel.org/stable/c/dc387c34d8dd10b02a333df098f8fd9bba177a45 https://git.kernel.org/stable/c/96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init() tad_pmu_init() won’t remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 (“bus: arm-ccn: Prevent hotplug callback leak”) | 2025-12-08 | not yet calculated | CVE-2022-50632 | https://git.kernel.org/stable/c/367404bfd1aa87b2a50059cd8edc6c12c367cd15 https://git.kernel.org/stable/c/7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb https://git.kernel.org/stable/c/973ae93d80d9d262f695eb485a1902b74c4b9098 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init of_icc_get() alloc resources for path handle, we should release it when not need anymore. Like the release in dwc3_qcom_interconnect_exit() function. Add icc_put() in error handling to fix this. | 2025-12-09 | not yet calculated | CVE-2022-50633 | https://git.kernel.org/stable/c/f9089b95548f0272e02a89989c511e235561d051 https://git.kernel.org/stable/c/56f6de394f0f57928cd401255a5c7866b68a77e3 https://git.kernel.org/stable/c/8c39c8d23ff9fb1beb6e16cf0ae929c764538625 https://git.kernel.org/stable/c/2f3b51189f7a7be5d822fb8c537d778c57eb9821 https://git.kernel.org/stable/c/97a48da1619ba6bd42a0e5da0a03aa490a9496b1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: cw_bat_probe() create_singlethread_workqueue() # failed, cw_bat->wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref Check the ret value and return -ENOMEM if it is NULL. | 2025-12-09 | not yet calculated | CVE-2022-50634 | https://git.kernel.org/stable/c/f7e2ba8ed08138102f21f3fe6414498c93177fd8 https://git.kernel.org/stable/c/5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04 https://git.kernel.org/stable/c/97f2b4ddb0aa700d673691a7d5e44d226d22bab7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo ‘p cmdline_proc_show’ > kprobe_events # echo ‘p cmdline_proc_show+16’ >> kprobe_events Kernel attempted to read user page (0) – exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 … NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 — interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000 The address being probed has some special: cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for: … prev = get_kprobe(p->addr – 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { … If prev is based on ftrace, ‘ppc_inst_read(prev->ainsn.insn)’ will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped. Check if prev is ftrace-based kprobe before reading ‘prev->ainsn.insn’ to fix this problem. [mpe: Trim oops] | 2025-12-09 | not yet calculated | CVE-2022-50635 | https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813 https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_device_is_present() for VFs by checking PF pci_device_is_present() previously didn’t work for VFs because it reads the Vendor and Device ID, which are 0xffff for VFs, which looks like they aren’t present. Check the PF instead. Wei Gong reported that if virtio I/O is in progress when the driver is unbound or “0” is written to /sys/…/sriov_numvfs, the virtio I/O operation hangs, which may result in output like this: task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 Call Trace: schedule+0x4f/0xc0 blk_mq_freeze_queue_wait+0x69/0xa0 blk_mq_freeze_queue+0x1b/0x20 blk_cleanup_queue+0x3d/0xd0 virtblk_remove+0x3c/0xb0 [virtio_blk] virtio_dev_remove+0x4b/0x80 … device_unregister+0x1b/0x60 unregister_virtio_device+0x18/0x30 virtio_pci_remove+0x41/0x80 pci_device_remove+0x3e/0xb0 This happened because pci_device_is_present(VF) returned “false” in virtio_pci_remove(), so it called virtio_break_device(). The broken vq meant that vring_interrupt() skipped the vq.callback() that would have completed the virtio I/O operation via virtblk_done(). [bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag] | 2025-12-09 | not yet calculated | CVE-2022-50636 | https://git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59 https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629 https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1 https://git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820 https://git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34 https://git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3 https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94 https://git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() If “cpu_dev” fails to get opp table in qcom_cpufreq_hw_read_lut(), the program will return, resulting in “table” resource is not released. | 2025-12-09 | not yet calculated | CVE-2022-50637 | https://git.kernel.org/stable/c/3ef12a4a8ef5553af9c3fd2719a616637a102568 https://git.kernel.org/stable/c/4ea765b10624d67407817100d381c60f53593033 https://git.kernel.org/stable/c/5d430076e66bddd08612911513b36f932b0d9d6c https://git.kernel.org/stable/c/242e23be8f31ebd90525c57ee3244c28e99a1697 https://git.kernel.org/stable/c/9901c21bcaf2f01fe5078f750d624f4ddfa8f81b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:203! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349 RIP: 0010:ext4_es_end.isra.0+0x34/0x42 RSP: 0018:ffffc9000143b768 EFLAGS: 00010203 RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8 R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0 R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000 FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __es_tree_search.isra.0+0x6d/0xf5 ext4_es_cache_extent+0xfa/0x230 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_mpage_readpages+0x48e/0xe40 ext4_readahead+0x47/0x50 read_pages+0x82/0x530 page_cache_ra_unbounded+0x199/0x2a0 do_page_cache_ra+0x47/0x70 page_cache_ra_order+0x242/0x400 ondemand_readahead+0x1e8/0x4b0 page_cache_sync_ra+0xf4/0x110 filemap_get_pages+0x131/0xb20 filemap_read+0xda/0x4b0 generic_file_read_iter+0x13a/0x250 ext4_file_read_iter+0x59/0x1d0 vfs_read+0x28f/0x460 ksys_read+0x73/0x160 __x64_sys_read+0x1e/0x30 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== In the above issue, ioctl invokes the swap_inode_boot_loader function to swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and disordered extents, and i_nlink is set to 1. The extents check for inode in the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO. While links_count is set to 1, the extents are not initialized in swap_inode_boot_loader. After the ioctl command is executed successfully, the extents are swapped to inode<12>, in this case, run the `cat` command to view inode<12>. And Bug_ON is triggered due to the incorrect extents. When the boot loader inode is not initialized, its imode can be one of the following: 1) the imode is a bad type, which is marked as bad_inode in ext4_iget and set to S_IFREG. 2) the imode is good type but not S_IFREG. 3) the imode is S_IFREG. The BUG_ON may be triggered by bypassing the check in cases 1 and 2. Therefore, when the boot loader inode is bad_inode or its imode is not S_IFREG, initialize the inode to avoid triggering the BUG. | 2025-12-09 | not yet calculated | CVE-2022-50638 | https://git.kernel.org/stable/c/e76ede9d2c9e0af4573342b56d7cdbf757c18084 https://git.kernel.org/stable/c/a95ba369255ddcdc5e43d38bc5203537bdf3a518 https://git.kernel.org/stable/c/5f8d36abd2059bf1bd016b17d1fe78d8613deddd https://git.kernel.org/stable/c/78e335fb573e6a85718c4c24d5a052718a99a9ed https://git.kernel.org/stable/c/71e99ec1315fe98d322b17b9a28f204aaf15ffee https://git.kernel.org/stable/c/d480a49c15c465cb9a16db1379f4996e9b5bb9cc https://git.kernel.org/stable/c/feec0ea94c5ef4aa118750284c8a921698733ef2 https://git.kernel.org/stable/c/a125c8806b7d3c3815b6f9f59d395b9d7527b0ef https://git.kernel.org/stable/c/991ed014de0840c5dc405b679168924afb2952ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io-wq: Fix memory leak in worker creation If the CPU mask allocation for a node fails, then the memory allocated for the ‘io_wqe’ struct of the current node doesn’t get freed on the error handling path, since it has not yet been added to the ‘wqes’ array. This was spotted when fuzzing v6.1-rc1 with Syzkaller: BUG: memory leak unreferenced object 0xffff8880093d5000 (size 1024): comm “syz-executor.2”, pid 7701, jiffies 4295048595 (age 13.900s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720 [<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130 [<000000004e107011>] io_wq_create+0x7b9/0xdc0 [<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d [<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba [<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce [<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80 [<000000008a8a7508>] do_syscall_64+0x5d/0x90 [<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-09 | not yet calculated | CVE-2022-50639 | https://git.kernel.org/stable/c/b6e2c54be37d5eb4f6666e6aa59cd0581c7ffc3c https://git.kernel.org/stable/c/ed981911a7c90a604f4a2bee908ab07e3b786aca https://git.kernel.org/stable/c/996d3efeb091c503afd3ee6b5e20eabf446fd955 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when the non-standard SDIO card has removed, which is because the card device’s reference counter does not increase for it at sdio_init_func(), but all SDIO card device reference counter gets decreased at sdio_release_func(). | 2025-12-09 | not yet calculated | CVE-2022-50640 | https://git.kernel.org/stable/c/b8b2965932e702b21e335ff30e1bb550f5a23b6f https://git.kernel.org/stable/c/b3275dde570b6420106a715bb58a0af041b94d95 https://git.kernel.org/stable/c/1fb79478695d92bab1c120ad3dad05252b02a29d https://git.kernel.org/stable/c/7a09c64b7da0abdec3919812e3d93ecc44069ed0 https://git.kernel.org/stable/c/8bf037279b5869ae9331c42bb1527d2680ebba96 https://git.kernel.org/stable/c/1e8cd93ae536581562bab4e1d8c5315bbc2548bf https://git.kernel.org/stable/c/66d461a92f32b6995b630625d350259b6b1f961b https://git.kernel.org/stable/c/9972e6b404884adae9eec7463e30d9b3c9a70b18 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node to possibly release the node. | 2025-12-09 | not yet calculated | CVE-2022-50641 | https://git.kernel.org/stable/c/20fbaff6699ea5553c67550e867d6f90b7085447 https://git.kernel.org/stable/c/18e199a5541aad6dc5cf51bc3f712247b2d17894 https://git.kernel.org/stable/c/e8a218c17d7c5c42d5609ef92d339b47f3d11d02 https://git.kernel.org/stable/c/aa9c0598b10960ad1198044da1e277a89b4e3af6 https://git.kernel.org/stable/c/962f22e7f7698f7718d95bd9b63e41fb8cca01a9 https://git.kernel.org/stable/c/691f23a8475f04c988f7e98066b084e996b40fa0 https://git.kernel.org/stable/c/e25f56f8bdf66126a54b5a88bc021c82bfb50b75 https://git.kernel.org/stable/c/0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4 https://git.kernel.org/stable/c/9a2ea132df860177b33c9fd421b26c4e9a0a9396 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: zero out stale pointers `cros_typec_get_switch_handles` allocates four pointers when obtaining type-c switch handles. These pointers are all freed if failing to obtain any of them; therefore, pointers in `port` become stale. The stale pointers eventually cause use-after-free or double free in later code paths. Zeroing out all pointer fields after freeing to eliminate these stale pointers. | 2025-12-09 | not yet calculated | CVE-2022-50642 | https://git.kernel.org/stable/c/0ceadb5a3e45f1b81cf54bd496b40a5e50b6bd40 https://git.kernel.org/stable/c/b610758bb3e0674644c1255cdafc2f46b7e05ff9 https://git.kernel.org/stable/c/6613f36a2fa5c69e528bccba8b3d831f759dad2f https://git.kernel.org/stable/c/9a8aadcf0b459c1257b9477fd6402e1d5952ae07 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_copy_file_range() If the file is used by swap, before return -EOPNOTSUPP, should free the xid, otherwise, the xid will be leaked. | 2025-12-09 | not yet calculated | CVE-2022-50643 | https://git.kernel.org/stable/c/bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2 https://git.kernel.org/stable/c/27cfd3afaab000a455194338db3b7f2031fde9d0 https://git.kernel.org/stable/c/dc283313d1ca378d787cb55c1e580dc3de852680 https://git.kernel.org/stable/c/9a97df404a402fe1174d2d1119f87ff2a0ca2fe9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter. Forgetting to putting operation will result in reference leak. Add missing pm_runtime_put_sync in some error paths. | 2025-12-09 | not yet calculated | CVE-2022-50644 | https://git.kernel.org/stable/c/27abe45df1dc394c184688d816cbbf2f194d4c6a https://git.kernel.org/stable/c/d84f77ef7d57658d7346f8c4797a570aa5e35fa6 https://git.kernel.org/stable/c/25fe7b0d596b343e7a5504ba11767115fff8494f https://git.kernel.org/stable/c/fc39ebf85d0349366b807fe2be848041c8523f03 https://git.kernel.org/stable/c/6d01017247eee3fba399f601b0bcb38e4fb88a72 https://git.kernel.org/stable/c/3441076f83aace85f5d6ccd9ffb301ac6b874776 https://git.kernel.org/stable/c/a9f69663ad571cbd7814dde38e3fcb4876341ed6 https://git.kernel.org/stable/c/c01ae99a4e3a0cdf70f7cd758a60a2243eac562c https://git.kernel.org/stable/c/9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, so it doesn’t need to call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI device needs to be put in the error path. | 2025-12-09 | not yet calculated | CVE-2022-50645 | https://git.kernel.org/stable/c/e6e295a434d1c917a017980389aec88bf35cc81b https://git.kernel.org/stable/c/2db53c7059167b63cc790366ef1a9e286e71980b https://git.kernel.org/stable/c/3e255dc21031cc1f341584eb99a7f31598bf0be7 https://git.kernel.org/stable/c/1adb2583cdbd75f379e3230a43a7412d373d499f https://git.kernel.org/stable/c/f29c2f57cdf7a57223dcd9fbaa2261faab5234b2 https://git.kernel.org/stable/c/9c8921555907f4d723f01ed2d859b66f2d14f08e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. | 2025-12-09 | not yet calculated | CVE-2022-50646 | https://git.kernel.org/stable/c/f4d1c14e8b404766ff2bb8644bb19443d73965de https://git.kernel.org/stable/c/f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e https://git.kernel.org/stable/c/c808edbf580bfc454671cbe66e9d7c2e938e7601 https://git.kernel.org/stable/c/bfe10a1d9fbccdf39f8449d62509f070d8aaaac1 https://git.kernel.org/stable/c/fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507 https://git.kernel.org/stable/c/0aa7be66168b1e84b2581ffff3ccb54a6c804a1e https://git.kernel.org/stable/c/9c9ff300e0de07475796495d86f449340d454a0c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: Make port I/O string accessors actually work Fix port I/O string accessors such as `insb’, `outsb’, etc. which use the physical PCI port I/O address rather than the corresponding memory mapping to get at the requested location, which in turn breaks at least accesses made by our parport driver to a PCIe parallel port such as: PCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20 parport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP] causing a memory access fault: Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008 Oops [#1] Modules linked in: CPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23 Hardware name: SiFive HiFive Unmatched A00 (DT) epc : parport_pc_fifo_write_block_pio+0x266/0x416 ra : parport_pc_fifo_write_block_pio+0xb4/0x416 epc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60 gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000 t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0 s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000 a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000 s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50 s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000 s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000 s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930 t5 : 0000000000001000 t6 : 0000000000040000 status: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f [<ffffffff80543212>] parport_pc_compat_write_block_pio+0xfe/0x200 [<ffffffff8053bbc0>] parport_write+0x46/0xf8 [<ffffffff8050530e>] lp_write+0x158/0x2d2 [<ffffffff80185716>] vfs_write+0x8e/0x2c2 [<ffffffff80185a74>] ksys_write+0x52/0xc2 [<ffffffff80185af2>] sys_write+0xe/0x16 [<ffffffff80003770>] ret_from_syscall+0x0/0x2 —[ end trace 0000000000000000 ]— For simplicity address the problem by adding PCI_IOBASE to the physical address requested in the respective wrapper macros only, observing that the raw accessors such as `__insb’, `__outsb’, etc. are not supposed to be used other than by said macros. Remove the cast to `long’ that is no longer needed on `addr’ now that it is used as an offset from PCI_IOBASE and add parentheses around `addr’ needed for predictable evaluation in macro expansion. No need to make said adjustments in separate changes given that current code is gravely broken and does not ever work. | 2025-12-09 | not yet calculated | CVE-2022-50647 | https://git.kernel.org/stable/c/2c60db6869fe5213471fcf4fe5704dc29da8b5ee https://git.kernel.org/stable/c/2ce9fab94b8db61f014e43ddf80dd1524ae6dff4 https://git.kernel.org/stable/c/dc235db7b79a352d07d62e8757ad856dbf1564c1 https://git.kernel.org/stable/c/140b2b92dbefffa7f4f7211a1fd399a6e79e71c4 https://git.kernel.org/stable/c/1acee4616930fc07265cb8e539753a8062daa8e0 https://git.kernel.org/stable/c/9cc205e3c17d5716da7ebb7fa0c985555e95d009 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller Naveen reported recursive locking of direct_mutex with sample ftrace-direct-modify.ko: [ 74.762406] WARNING: possible recursive locking detected [ 74.762887] 6.0.0-rc6+ #33 Not tainted [ 74.763216] ——————————————– [ 74.763672] event-sample-fn/1084 is trying to acquire lock: [ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: register_ftrace_function+0x1f/0x180 [ 74.764922] [ 74.764922] but task is already holding lock: [ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: modify_ftrace_direct+0x34/0x1f0 [ 74.766142] [ 74.766142] other info that might help us debug this: [ 74.766701] Possible unsafe locking scenario: [ 74.766701] [ 74.767216] CPU0 [ 74.767437] —- [ 74.767656] lock(direct_mutex); [ 74.767952] lock(direct_mutex); [ 74.768245] [ 74.768245] *** DEADLOCK *** [ 74.768245] [ 74.768750] May be due to missing lock nesting notation [ 74.768750] [ 74.769332] 1 lock held by event-sample-fn/1084: [ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: modify_ftrace_direct+0x34/0x1f0 [ 74.770496] [ 74.770496] stack backtrace: [ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted … [ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), … [ 74.772474] Call Trace: [ 74.772696] <TASK> [ 74.772896] dump_stack_lvl+0x44/0x5b [ 74.773223] __lock_acquire.cold.74+0xac/0x2b7 [ 74.773616] lock_acquire+0xd2/0x310 [ 74.773936] ? register_ftrace_function+0x1f/0x180 [ 74.774357] ? lock_is_held_type+0xd8/0x130 [ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.775213] __mutex_lock+0x99/0x1010 [ 74.775536] ? register_ftrace_function+0x1f/0x180 [ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160 [ 74.776424] ? ftrace_set_hash+0x195/0x220 [ 74.776779] ? register_ftrace_function+0x1f/0x180 [ 74.777194] ? kfree+0x3e1/0x440 [ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.777941] ? __schedule+0xb40/0xb40 [ 74.778258] ? register_ftrace_function+0x1f/0x180 [ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.779128] register_ftrace_function+0x1f/0x180 [ 74.779527] ? ftrace_set_filter_ip+0x33/0x70 [ 74.779910] ? __schedule+0xb40/0xb40 [ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.781147] ftrace_modify_direct_caller+0x5b/0x90 [ 74.781563] ? 0xffffffffa0201000 [ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.782309] modify_ftrace_direct+0x1b2/0x1f0 [ 74.782690] ? __schedule+0xb40/0xb40 [ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify] [ 74.783508] ? __schedule+0xb40/0xb40 [ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify] [ 74.784766] kthread+0xf5/0x120 [ 74.785052] ? kthread_complete_and_exit+0x20/0x20 [ 74.785464] ret_from_fork+0x22/0x30 [ 74.785781] </TASK> Fix this by using register_ftrace_function_nolock in ftrace_modify_direct_caller. | 2025-12-09 | not yet calculated | CVE-2022-50648 | https://git.kernel.org/stable/c/2482eacb685b6500e158268befbe6c90de5f166a https://git.kernel.org/stable/c/9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements beyond the end of the adp5061_chg_type[] array. | 2025-12-09 | not yet calculated | CVE-2022-50649 | https://git.kernel.org/stable/c/24a0be36e9a21f63de2e6088607e689e59ec15f4 https://git.kernel.org/stable/c/3376a0cf138dfc90b449fde541ca228a33e1c143 https://git.kernel.org/stable/c/89f305a71418591cdda18180f712f91c9820f03b https://git.kernel.org/stable/c/7c8bc374659de19d846f7cab3eda9ebdb005c4cc https://git.kernel.org/stable/c/038e4aa71281d0cbc8aeb56ba05ff7fc5653a106 https://git.kernel.org/stable/c/dc52b73d3acd676ccbb440fcec617c547b903af2 https://git.kernel.org/stable/c/9d47e01b9d807808224347935562f7043a358054 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference state management for synchronous callbacks Currently, verifier verifies callback functions (sync and async) as if they will be executed once, (i.e. it explores execution state as if the function was being called once). The next insn to explore is set to start of subprog and the exit from nested frame is handled using curframe > 0 and prepare_func_exit. In case of async callback it uses a customized variant of push_stack simulating a kind of branch to set up custom state and execution context for the async callback. While this approach is simple and works when callback really will be executed only once, it is unsafe for all of our current helpers which are for_each style, i.e. they execute the callback multiple times. A callback releasing acquired references of the caller may do so multiple times, but currently verifier sees it as one call inside the frame, which then returns to caller. Hence, it thinks it released some reference that the cb e.g. got access through callback_ctx (register filled inside cb from spilled typed register on stack). Similarly, it may see that an acquire call is unpaired inside the callback, so the caller will copy the reference state of callback and then will have to release the register with new ref_obj_ids. But again, the callback may execute multiple times, but the verifier will only account for acquired references for a single symbolic execution of the callback, which will cause leaks. Note that for async callback case, things are different. While currently we have bpf_timer_set_callback which only executes it once, even for multiple executions it would be safe, as reference state is NULL and check_reference_leak would force program to release state before BPF_EXIT. The state is also unaffected by analysis for the caller frame. Hence async callback is safe. Since we want the reference state to be accessible, e.g. for pointers loaded from stack through callback_ctx’s PTR_TO_STACK, we still have to copy caller’s reference_state to callback’s bpf_func_state, but we enforce that whatever references it adds to that reference_state has been released before it hits BPF_EXIT. This requires introducing a new callback_ref member in the reference state to distinguish between caller vs callee references. Hence, check_reference_leak now errors out if it sees we are in callback_fn and we have not released callback_ref refs. Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2 etc. we need to also distinguish between whether this particular ref belongs to this callback frame or parent, and only error for our own, so we store state->frameno (which is always non-zero for callbacks). In short, callbacks can read parent reference_state, but cannot mutate it, to be able to use pointers acquired by the caller. They must only undo their changes (by releasing their own acquired_refs before BPF_EXIT) on top of caller reference_state before returning (at which point the caller and callback state will match anyway, so no need to copy it back to caller). | 2025-12-09 | not yet calculated | CVE-2022-50650 | https://git.kernel.org/stable/c/4ed5155043c97ac8912bcf67331df87c833fb067 https://git.kernel.org/stable/c/caa176c0953cdfd5ce500fb517ce1ea924a8bc4c https://git.kernel.org/stable/c/aed931fd3b6e28f19cc140ff90aa5046ee2aa4e1 https://git.kernel.org/stable/c/9d9d00ac29d0ef7ce426964de46fa6b380357d0a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: eeprom: fix null-deref on genl_info in dump The similar fix as commit 46cdedf2a0fa (“ethtool: pse-pd: fix null-deref on genl_info in dump”) is also needed for ethtool eeprom. | 2025-12-09 | not yet calculated | CVE-2022-50651 | https://git.kernel.org/stable/c/138a13d8f5c81266032af680f63069387f2748da https://git.kernel.org/stable/c/1e3be98592a12511d4e78a9a67aaff3e6ca4980c https://git.kernel.org/stable/c/9d9effca9d7d7cf6341182a7c5cabcbd6fa28063 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: uio: uio_dmem_genirq: Fix missing unlock in irq configuration Commit b74351287d4b (“uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()”) started calling disable_irq() without holding the spinlock because it can sleep. However, that fix introduced another bug: if interrupt is already disabled and a new disable request comes in, then the spinlock is not unlocked: root@localhost:~# printf ‘x00x00x00x00’ > /dev/uio0 root@localhost:~# printf ‘x00x00x00x00’ > /dev/uio0 root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002 [ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc] [ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21 [ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 14.855664] Call Trace: [ 14.855861] <TASK> [ 14.856025] dump_stack_lvl+0x4d/0x67 [ 14.856325] dump_stack+0x14/0x1a [ 14.856583] __schedule_bug.cold+0x4b/0x5c [ 14.856915] __schedule+0xe81/0x13d0 [ 14.857199] ? idr_find+0x13/0x20 [ 14.857456] ? get_work_pool+0x2d/0x50 [ 14.857756] ? __flush_work+0x233/0x280 [ 14.858068] ? __schedule+0xa95/0x13d0 [ 14.858307] ? idr_find+0x13/0x20 [ 14.858519] ? get_work_pool+0x2d/0x50 [ 14.858798] schedule+0x6c/0x100 [ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110 [ 14.859335] ? tty_write_room+0x1f/0x30 [ 14.859598] ? n_tty_poll+0x1ec/0x220 [ 14.859830] ? tty_ldisc_deref+0x1a/0x20 [ 14.860090] schedule_hrtimeout_range+0x17/0x20 [ 14.860373] do_select+0x596/0x840 [ 14.860627] ? __kernel_text_address+0x16/0x50 [ 14.860954] ? poll_freewait+0xb0/0xb0 [ 14.861235] ? poll_freewait+0xb0/0xb0 [ 14.861517] ? rpm_resume+0x49d/0x780 [ 14.861798] ? common_interrupt+0x59/0xa0 [ 14.862127] ? asm_common_interrupt+0x2b/0x40 [ 14.862511] ? __uart_start.isra.0+0x61/0x70 [ 14.862902] ? __check_object_size+0x61/0x280 [ 14.863255] core_sys_select+0x1c6/0x400 [ 14.863575] ? vfs_write+0x1c9/0x3d0 [ 14.863853] ? vfs_write+0x1c9/0x3d0 [ 14.864121] ? _copy_from_user+0x45/0x70 [ 14.864526] do_pselect.constprop.0+0xb3/0xf0 [ 14.864893] ? do_syscall_64+0x6d/0x90 [ 14.865228] ? do_syscall_64+0x6d/0x90 [ 14.865556] __x64_sys_pselect6+0x76/0xa0 [ 14.865906] do_syscall_64+0x60/0x90 [ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50 [ 14.866640] ? do_syscall_64+0x6d/0x90 [ 14.866972] ? do_syscall_64+0x6d/0x90 [ 14.867286] ? do_syscall_64+0x6d/0x90 [ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd […] stripped [ 14.872959] </TASK> (‘myfpga’ is a simple ‘uio_dmem_genirq’ driver I wrote to test this) The implementation of “uio_dmem_genirq” was based on “uio_pdrv_genirq” and it is used in a similar manner to the “uio_pdrv_genirq” driver with respect to interrupt configuration and handling. At the time “uio_dmem_genirq” was introduced, both had the same implementation of the ‘uio_info’ handlers irqcontrol() and handler(). Then commit 34cb27528398 (“UIO: Fix concurrency issue”), which was only applied to “uio_pdrv_genirq”, ended up making them a little different. That commit, among other things, changed disable_irq() to disable_irq_nosync() in the implementation of irqcontrol(). The motivation there was to avoid a deadlock between irqcontrol() and handler(), since it added a spinlock in the irq handler, and disable_irq() waits for the completion of the irq handler. By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also avoid the sleeping-whil —truncated— | 2025-12-09 | not yet calculated | CVE-2022-50652 | https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0 https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106 https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002 https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67 https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905 https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: atmel-mci: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it’s not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and calling mmc_free_host() in the error path. | 2025-12-09 | not yet calculated | CVE-2022-50653 | https://git.kernel.org/stable/c/99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2 https://git.kernel.org/stable/c/6bb26abb92f25e582a0976091a10b539fe3796db https://git.kernel.org/stable/c/00ac0f5f95920f003cd6ece53cdc759549b69118 https://git.kernel.org/stable/c/1925472dec31ec061d57412b3a65a056ea24f340 https://git.kernel.org/stable/c/cc8bb436f3c842a86b9082d97933582120d180e2 https://git.kernel.org/stable/c/85946ceb0fac20ab39cdb85333086daf0291a553 https://git.kernel.org/stable/c/9e6e8c43726673ca2abcaac87640b9215fd72f4c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix panic due to wrong pageattr of im->image In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampoline in bpf_trampoline_update, and then modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag will be configured, and arch_prepare_bpf_trampoline will be re-executed. At this time, because the pageattr of im->image is rox, arch_prepare_bpf_trampoline will read and write im->image, which causes a fault. as follows: insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c bpftrace -e ‘kretfunc:cmdline_proc_show {}’ BUG: unable to handle page fault for address: ffffffffa0206000 PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5 RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0 RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202 RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030 RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400 R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8 R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10 FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bpf_trampoline_update+0x25a/0x6b0 __bpf_trampoline_link_prog+0x101/0x240 bpf_trampoline_link_prog+0x2d/0x50 bpf_tracing_prog_attach+0x24c/0x530 bpf_raw_tp_link_attach+0x73/0x1d0 __sys_bpf+0x100e/0x2570 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x5b/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With this patch, when modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset to nx+rw. | 2025-12-09 | not yet calculated | CVE-2022-50654 | https://git.kernel.org/stable/c/d9d383cbf812a3b4094c089aa5f5d41a3bb4531d https://git.kernel.org/stable/c/7f656fff955ccb216c40fa188a24c05fa40985a5 https://git.kernel.org/stable/c/9ed1d9aeef5842ecacb660fce933613b58af1e00 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ppp: associate skb with a device at tx Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)=’x00!’, 0x2}], 0x1, 0x0, 0x0) [ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let’s manually use ppp->dev. | 2025-12-09 | not yet calculated | CVE-2022-50655 | https://git.kernel.org/stable/c/e387a25552951802102e279931d6f7dd2ecc34c1 https://git.kernel.org/stable/c/30f186978e87bef2f22ed349010d3e23271e8d44 https://git.kernel.org/stable/c/c2a698ff156974908308f42cf5991ab5c0c4b8cd https://git.kernel.org/stable/c/7da524781c531ebaf2f94c9dc4c541b82edecfed https://git.kernel.org/stable/c/148dcbd3af039ae39c3af697a3183008c7995805 https://git.kernel.org/stable/c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b https://git.kernel.org/stable/c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d https://git.kernel.org/stable/c/ee678b1f52f9439e930db2db3fd7e345d03e1a50 https://git.kernel.org/stable/c/9f225444467b98579cf28d94f4ad053460dfdb84 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Clear nfc_target before being used Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used. Found by a modified version of syzkaller. BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 | 2025-12-09 | not yet calculated | CVE-2022-50656 | https://git.kernel.org/stable/c/9da4a0411f3455e3885831d0758bee3e3d565bbc https://git.kernel.org/stable/c/61a7e15d55fae329a245535c3bac494e401005b8 https://git.kernel.org/stable/c/bef2f478513e7367ef3b05441f6afca981de29be https://git.kernel.org/stable/c/8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03 https://git.kernel.org/stable/c/aea9e64dec2cc6cd742e07ecd4e6236fc76b389b https://git.kernel.org/stable/c/aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6 https://git.kernel.org/stable/c/755019e37815a66bb0a23893debbd3dd640ccbd3 https://git.kernel.org/stable/c/e491285b4d08884b622638be8e4961eb43b0af64 https://git.kernel.org/stable/c/9f28157778ede0d4f183f7ab3b46995bb400abbe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: mm: add missing memcpy in kasan_init Hi Atish, It seems that the panic is due to the missing memcpy during kasan_init. Could you please check whether this patch is helpful? When doing kasan_populate, the new allocated base_pud/base_p4d should contain kasan_early_shadow_{pud, p4d}’s content. Add the missing memcpy to avoid page fault when read/write kasan shadow region. Tested on: – qemu with sv57 and CONFIG_KASAN on. – qemu with sv48 and CONFIG_KASAN on. | 2025-12-09 | not yet calculated | CVE-2022-50657 | https://git.kernel.org/stable/c/ff0f6becf3a6f817838b6f80a2c9cca43dce0576 https://git.kernel.org/stable/c/9f2ac64d6ca60db99132e08628ac2899f956a0ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix memory leak in error path If for some reason the speedbin length is incorrect, then there is a memory leak in the error path because we never free the speedbin buffer. This commit fixes the error path to always free the speedbin buffer. | 2025-12-09 | not yet calculated | CVE-2022-50658 | https://git.kernel.org/stable/c/e55feb31df3fc78b880d6e9d4b5853f05c974833 https://git.kernel.org/stable/c/b5606e3ab1f7cc00d89903f4a11fe57747bb3a68 https://git.kernel.org/stable/c/b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48 https://git.kernel.org/stable/c/9f42cf54403a42cb092636804d2628d8ecf71e75 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: geode – Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. We add a new struct ‘amd_geode_priv’ to record pointer of the pci_dev and membase, and then add missing pci_dev_put() for the normal and error path. | 2025-12-09 | not yet calculated | CVE-2022-50659 | https://git.kernel.org/stable/c/88f4ea623f59155280d99d1a59a968f838472c4a https://git.kernel.org/stable/c/e2f44baf62567c5cfbc274974c7d96dddad53ccc https://git.kernel.org/stable/c/6b9e43c4098f1310f5b4d52121d007a219fa5d43 https://git.kernel.org/stable/c/5cc818ad53df650cac8fb41d9066665366af3f03 https://git.kernel.org/stable/c/aa96aff394a511cc7bb7df08d1b8504d4d97671e https://git.kernel.org/stable/c/82bd423ed977847652b2048b0f8dcf049b1847a9 https://git.kernel.org/stable/c/874f798c2db5ad595e46982d7f727a679dacb048 https://git.kernel.org/stable/c/19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c https://git.kernel.org/stable/c/9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ipw2200: fix memory leak in ipw_wdev_init() In the error path of ipw_wdev_init(), exception value is returned, and the memory applied for in the function is not released. Also the memory is not released in ipw_pci_probe(). As a result, memory leakage occurs. So memory release needs to be added to the error path of ipw_wdev_init(). | 2025-12-09 | not yet calculated | CVE-2022-50660 | https://git.kernel.org/stable/c/75d20ba9506eb90d92e660e04dd887ff1495fcc3 https://git.kernel.org/stable/c/fb3517b92a45c8004ac26250ae041a24eb23fef1 https://git.kernel.org/stable/c/112c1af02b8f535baf42ef9d807aea963705ef15 https://git.kernel.org/stable/c/8a2eb9d9d0c1535bc8e22840193bff4cdcac878b https://git.kernel.org/stable/c/9424ea9d557ef41d86eb40b6349ae991c3dcff89 https://git.kernel.org/stable/c/62ec7e8bf42f1542f966dda687c654aae81718c8 https://git.kernel.org/stable/c/1f590fb3d14e5db3a9e06ee141b1685c429278ce https://git.kernel.org/stable/c/9fe21dc626117fb44a8eb393713a86a620128ce3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: seccomp: Move copy_seccomp() to no failure path. Our syzbot instance reported memory leaks in do_seccomp() [0], similar to the report [1]. It shows that we miss freeing struct seccomp_filter and some objects included in it. We can reproduce the issue with the program below [2] which calls one seccomp() and two clone() syscalls. The first clone()d child exits earlier than its parent and sends a signal to kill it during the second clone(), more precisely before the fatal_signal_pending() test in copy_process(). When the parent receives the signal, it has to destroy the embryonic process and return -EINTR to user space. In the failure path, we have to call seccomp_filter_release() to decrement the filter’s refcount. Initially, we called it in free_task() called from the failure path, but the commit 3a15fb6ed92c (“seccomp: release filter after task is fully dead”) moved it to release_task() to notify user space as early as possible that the filter is no longer used. To keep the change and current seccomp refcount semantics, let’s move copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in free_task() for future debugging. [0]: unreferenced object 0xffff8880063add00 (size 256): comm “repro_seccomp”, pid 230, jiffies 4294687090 (age 9.914s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ……………. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ……………. backtrace: do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffffc90000035000 (size 4096): comm “repro_seccomp”, pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: __vmalloc_node_range (mm/vmalloc.c:3226) __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4)) bpf_prog_alloc_no_stats (kernel/bpf/core.c:91) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888003fa1000 (size 1024): comm “repro_seccomp”, pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888006360240 (size 16): comm “repro_seccomp”, pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 16 bytes): 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl…….. backtrace: bpf_prog_store_orig_filter (net/core/filter.c:1137) bpf_prog_create_from_user (net/core/filter.c:1428) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888 —truncated— | 2025-12-09 | not yet calculated | CVE-2022-50661 | https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5 https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980 https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182 https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986 https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: fix memory leak in hns_roce_alloc_mr() When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released. Compiled test only. | 2025-12-09 | not yet calculated | CVE-2022-50662 | https://git.kernel.org/stable/c/164fa80330a81db67c26d10d071083941d29a510 https://git.kernel.org/stable/c/35f9cd060e68ff910e49bf37b1b0d336a311849a https://git.kernel.org/stable/c/fd32e378bc1dea0d48767adf2bbb478581bb0a95 https://git.kernel.org/stable/c/fc2c43bf41c89e7451fe750025ae55eb2e2a741d https://git.kernel.org/stable/c/a115aa00b18f7b8982b8f458149632caf64a862a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix possible memory leak in stmmac_dvr_probe() The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, otherwise there will be a memory leak, so we add the err path error_wq_init to fix it. | 2025-12-09 | not yet calculated | CVE-2022-50663 | https://git.kernel.org/stable/c/96e50897029f65222ef76cfe9bc802321fcea33b https://git.kernel.org/stable/c/b59253e32c203a20bce15dca80890b7d268bacd7 https://git.kernel.org/stable/c/446757787baf99b7db15cb347783c45a37bfe21f https://git.kernel.org/stable/c/a137f3f27f9290933fe7e40e6dc8a445781c31a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: fix leak of memory fw | 2025-12-09 | not yet calculated | CVE-2022-50664 | https://git.kernel.org/stable/c/afccb6ac63fc4328bc61ba086a3cad30054d87c1 https://git.kernel.org/stable/c/a44828482bd5b11d728d7dac09b0d723aab9ff7b https://git.kernel.org/stable/c/b4d8fd008de1774d99a5b50acc03d92a1919c3a7 https://git.kernel.org/stable/c/438a4a8dece2abac099777a00db91784c0996cdc https://git.kernel.org/stable/c/b42580c8d8aac11a66046897979cc13cfd04c541 https://git.kernel.org/stable/c/438cd29fec3ea09769639f6032687e0c1434dbe0 https://git.kernel.org/stable/c/25cab05aa2df904ee1fea37d8dfa0d92c951bb4e https://git.kernel.org/stable/c/669fb90507dbaf419aa3871bf73160e93d50487f https://git.kernel.org/stable/c/a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), as below, it will not print when debug_mask is not set ATH11K_DBG_DATA. ath11k_dbg(ab, ATH11K_DBG_DATA, “failed to find the peer with peer_id %dn”, ppdu_info.peer_id); When run scan with station disconnected, the peer_id is 0 for case HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is reset to 0 in the while loop, so it does not match condition of the check “if (ppdu_info->peer_id == HAL_INVALID_PEERID” in the loop, and then the log “failed to find the peer with peer_id 0” print after the check in the loop, it is below call stack when debug_mask is set ATH11K_DBG_DATA. The reason is this commit 01d2f285e3e5 (“ath11k: decode HE status tlv”) add “memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))” in ath11k_dp_rx_process_mon_status(), but the commit does not initialize the peer_id to HAL_INVALID_PEERID, then lead the check mis-match. Callstack of the failed log: [12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k] [12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd [12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246 [12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000 [12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18 [12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000 [12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40 [12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000 [12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000 [12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0 [12335.689360] Call Trace: [12335.689377] <IRQ> [12335.689418] ? rcu_read_lock_held_common+0x12/0x50 [12335.689447] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689471] ? rcu_read_lock_held_common+0x12/0x50 [12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689653] ? lock_acquire+0xef/0x360 [12335.689681] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k] [12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689860] call_timer_fn+0xb2/0x2f0 [12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689970] run_timer_softirq+0x21f/0x540 [12335.689999] ? ktime_get+0xad/0x160 [12335.690025] ? lapic_next_deadline+0x2c/0x40 [12335.690053] ? clockevents_program_event+0x82/0x100 [12335.690093] __do_softirq+0x151/0x4a8 [12335.690135] irq_exit_rcu+0xc9/0x100 [12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0 [12335.690189] </IRQ> [12335.690204] <TASK> [12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20 Reset the default value to HAL_INVALID_PEERID each time after memset of ppdu_info as well as others memset which existed in function ath11k_dp_rx_process_mon_status(), then the failed log disappeared. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 | 2025-12-09 | not yet calculated | CVE-2022-50665 | https://git.kernel.org/stable/c/c0bb97a90b133416b50b3ffbdb7efca9253cc687 https://git.kernel.org/stable/c/a5b03df19041e5ce35c7f048fa84bf1b0ceb1311 https://git.kernel.org/stable/c/a20ed60bb357776301c2dad7b4a4f0db97e143e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix QP destroy to wait for all references dropped. Delay QP destroy completion until all siw references to QP are dropped. The calling RDMA core will free QP structure after successful return from siw_qp_destroy() call, so siw must not hold any remaining reference to the QP upon return. A use-after-free was encountered in xfstest generic/460, while testing NFSoRDMA. Here, after a TCP connection drop by peer, the triggered siw_cm_work_handler got delayed until after QP destroy call, referencing a QP which has already freed. | 2025-12-09 | not yet calculated | CVE-2022-50666 | https://git.kernel.org/stable/c/5c75d608fad58301b63e7d69200c13c3a1d411da https://git.kernel.org/stable/c/74ad141e995a730760b1bcfa14854b7f1057d6bc https://git.kernel.org/stable/c/0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737 https://git.kernel.org/stable/c/a3c278807a459e6f50afee6971cabe74cccfb490 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl() If the copy of the description string from userspace fails, then the page for the instance descriptor doesn’t get freed before returning -EFAULT, which leads to a memleak. | 2025-12-09 | not yet calculated | CVE-2022-50667 | https://git.kernel.org/stable/c/b47a37ad4a444d82f9caf153a79d090b79786ebb https://git.kernel.org/stable/c/6ad40bbb2c25f17b899fcea114ebc0a46d8a938b https://git.kernel.org/stable/c/53066b144715332ce9370143c33c50d9a4d3e809 https://git.kernel.org/stable/c/a40c7f61d12fbd1e785e59140b9efd57127c0c33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly keep finding xattr block for reuse in mbcache but we are unable to reuse it because its reference count is too big. This happens because cache entry for the xattr block is marked as reusable (e_reusable set) although its reference count is too big. When this inconsistency happens, this inconsistent state is kept indefinitely and so ext4_xattr_block_set() keeps retrying indefinitely. The inconsistent state is caused by non-atomic update of e_reusable bit. e_reusable is part of a bitfield and e_reusable update can race with update of e_referenced bit in the same bitfield resulting in loss of one of the updates. Fix the problem by using atomic bitops instead. This bug has been around for many years, but it became *much* easier to hit after commit 65f8b80053a1 (“ext4: fix race when reusing xattr blocks”). | 2025-12-09 | not yet calculated | CVE-2022-50668 | https://git.kernel.org/stable/c/efaa0ca678f56d47316a08030b2515678cebbc50 https://git.kernel.org/stable/c/af53065276376750dfac35a7248af18806404c5d https://git.kernel.org/stable/c/1be16a0c2f10186df505e28b0cc92d7f3366e2a8 https://git.kernel.org/stable/c/5bc0b2fda4b47c86278f7c6d30c211f425bf51cf https://git.kernel.org/stable/c/127b80cefb941a81255c72f11081123f3a705369 https://git.kernel.org/stable/c/cc1538c693d25e282bed8c54b65c914a04023a78 https://git.kernel.org/stable/c/a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible name leak in ocxl_file_register_afu() If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need be freed. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and info is freed in info_release(). | 2025-12-09 | not yet calculated | CVE-2022-50669 | https://git.kernel.org/stable/c/0cd05062371a49774e8a45258bdedf0bd6d3d327 https://git.kernel.org/stable/c/7525741cb302a1672b8c3a5edb2a08e4229b5c7c https://git.kernel.org/stable/c/3299983a6bf628249ac650908e62d12de959341e https://git.kernel.org/stable/c/557b7de055d1e230ddb6664c29d26917b8db9143 https://git.kernel.org/stable/c/2fce8b3583d1641a1716486f408478b58e96ec91 https://git.kernel.org/stable/c/a4cb1004aeed2ab893a058fad00a5b41a12c4691 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it’s not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path wihch will call mmc_free_host(). | 2025-12-09 | not yet calculated | CVE-2022-50670 | https://git.kernel.org/stable/c/f153c9e15f8961bdf38707853e15b42ea7c691d9 https://git.kernel.org/stable/c/fb3d596267a98813a7a8206097d8d46c98505a0d https://git.kernel.org/stable/c/62005dfcc396424db3337a1dc3ab49623537f5e5 https://git.kernel.org/stable/c/a5f8a4583280a76e50329b910e91ef1dea1e6c79 https://git.kernel.org/stable/c/4e1dc24bcfc8257f24c0663badec7e4f3ae80558 https://git.kernel.org/stable/c/a525cad241c339ca00bf7ebf03c5180f2a9b767c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix “kernel NULL pointer dereference” error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked. | 2025-12-09 | not yet calculated | CVE-2022-50671 | https://git.kernel.org/stable/c/48cd7098e71735ccafa0b3cf27c53924f9cb5b2f https://git.kernel.org/stable/c/eca119693010032d6cc6e7e9b4fb2c363c7e12ce https://git.kernel.org/stable/c/9c5dd6993c794703e74c6ba17ac78ca0211ef940 https://git.kernel.org/stable/c/0d773c58d702f0a7c16ee8d69617fd2c28350795 https://git.kernel.org/stable/c/cdce36a88def550773142a34ef727a830cad96a8 https://git.kernel.org/stable/c/f2f405af70e6f0419e718d23fa304798a5405c41 https://git.kernel.org/stable/c/bb33fa65da77f5f02dbee6f25cebaeedfcd70028 https://git.kernel.org/stable/c/3b8752f086eb6865cc3662ad13249b03024501e5 https://git.kernel.org/stable/c/a625ca30eff806395175ebad3ac1399014bdb280 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynq-ipi: fix error handling while device_register() fails If device_register() fails, it has two issues: 1. The name allocated by dev_set_name() is leaked. 2. The parent of device is not NULL, device_unregister() is called in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because of removing not added device. Call put_device() to give up the reference, so the name is freed in kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes() to avoid null-ptr-deref. | 2025-12-09 | not yet calculated | CVE-2022-50672 | https://git.kernel.org/stable/c/b3a5c76f61e2b380e29dfc6705854ca1ee85501d https://git.kernel.org/stable/c/a39b4de0804f9fe0ae911b359ffd4afe7d9d933b https://git.kernel.org/stable/c/4f05d8e2fb3ab702c2633a74571e1b31cb579985 https://git.kernel.org/stable/c/f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a https://git.kernel.org/stable/c/3fcf079958c00d83c51e4f250abf2c77fe9cc1b9 https://git.kernel.org/stable/c/a6792a0cdef0b1c2d77920246283a72537e60e94 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace: <TASK> dump_stack_lvl+0x73/0x9f print_report+0x25d/0x759 kasan_report+0xc0/0x120 __asan_load8+0x99/0x140 __list_add_valid+0x28/0x1a0 ext4_orphan_cleanup+0x564/0x9d0 [ext4] __ext4_fill_super+0x48e2/0x5300 [ext4] ext4_fill_super+0x19f/0x3a0 [ext4] get_tree_bdev+0x27b/0x450 ext4_get_tree+0x19/0x30 [ext4] vfs_get_tree+0x49/0x150 path_mount+0xaae/0x1350 do_mount+0xe2/0x110 __x64_sys_mount+0xf0/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> […] ================================================================== Above issue may happen as follows: ————————————- ext4_fill_super ext4_orphan_cleanup — loop1: assume last_orphan is 12 — list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan) ext4_truncate –> return 0 ext4_inode_attach_jinode –> return -ENOMEM iput(inode) –> free inode<12> — loop2: last_orphan is still 12 — list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan); // use inode<12> and trigger UAF To solve this issue, we need to propagate the return value of ext4_inode_attach_jinode() appropriately. | 2025-12-09 | not yet calculated | CVE-2022-50673 | https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709 https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858 https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159 https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478 https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Testing tools/testing/selftests/timens/vfork_exec.c got below kernel log: [ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020 [ 6.842255] Oops [#1] [ 6.842871] Modules linked in: [ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8 [ 6.845861] Hardware name: riscv-virtio,qemu (DT) [ 6.848009] epc : vdso_join_timens+0xd2/0x110 [ 6.850097] ra : vdso_join_timens+0xd2/0x110 [ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0 [ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030 [ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40 [ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c [ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000 [ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038 [ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000 [ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38 [ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e [ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f [ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00 [ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d [ 6.868046] [<ffffffff8008dc94>] timens_commit+0x38/0x11a [ 6.869089] [<ffffffff8008dde8>] timens_on_fork+0x72/0xb4 [ 6.870055] [<ffffffff80190096>] begin_new_exec+0x3c6/0x9f0 [ 6.871231] [<ffffffff801d826c>] load_elf_binary+0x628/0x1214 [ 6.872304] [<ffffffff8018ee7a>] bprm_execve+0x1f2/0x4e4 [ 6.873243] [<ffffffff8018f90c>] do_execveat_common+0x16e/0x1ee [ 6.874258] [<ffffffff8018f9c8>] sys_execve+0x3c/0x48 [ 6.875162] [<ffffffff80003556>] ret_from_syscall+0x0/0x2 [ 6.877484] —[ end trace 0000000000000000 ]— This is because the mm->context.vdso_info is NULL in vfork case. From another side, mm->context.vdso_info either points to vdso info for RV64 or vdso info for compat, there’s no need to bloat riscv’s mm_context_t, we can handle the difference when setup the additional page for vdso. | 2025-12-09 | not yet calculated | CVE-2022-50674 | https://git.kernel.org/stable/c/df30c4feba51beeb138f3518c2421abc8cbda3c1 https://git.kernel.org/stable/c/f2419a6fbb4caf8cf3fe0ac7e4cf2e28127d04b4 https://git.kernel.org/stable/c/a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Prior to commit 69e3b846d8a7 (“arm64: mte: Sync tags for pages where PTE is untagged”), mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently setting PG_mte_tagged on an untagged page. The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PG_mte_tagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN. This issue was masked by the page_kasan_tag_reset() call introduced in commit e5b8d9218951 (“arm64: mte: reset the page tag in page->flags”). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIG_KASAN_HW_TAGS=y): BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2] Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual place where tags are cleared (mte_sync_page_tags()) or restored (mte_restore_tags()). | 2025-12-09 | not yet calculated | CVE-2022-50675 | https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23 https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821 https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: rds: don’t hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac3615e7f3cffe2a (“RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()”) added cancel_delayed_work_sync() into a section protected by lock_sock() without realizing that rds_send_xmit() might call lock_sock(). We don’t need to protect cancel_delayed_work_sync() using lock_sock(), for even if rds_{send,recv}_worker() re-queued this work while __flush_work() from cancel_delayed_work_sync() was waiting for this work to complete, retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP bit. | 2025-12-09 | not yet calculated | CVE-2022-50676 | https://git.kernel.org/stable/c/5d2ba255e93211e541373469dffbda7c99dfa0e5 https://git.kernel.org/stable/c/2425007c0967a7c04b0dee7cce05ecf0ca869ad1 https://git.kernel.org/stable/c/e3cb25d3ad08f5dbd53ce2b31720cad529944322 https://git.kernel.org/stable/c/360aa7219285fac63dab99706a16f2daf3222abe https://git.kernel.org/stable/c/da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c https://git.kernel.org/stable/c/30bfa5aa7228eb1e67663d67e553627e572cc717 https://git.kernel.org/stable/c/c380c28ab9b15fc53565909c814f6dd3e7f77c4b https://git.kernel.org/stable/c/afe7053c390fe8ff27d0c2ceaece5625283044ba https://git.kernel.org/stable/c/a91b750fd6629354460282bbf5146c01b05c4859 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the “intf” pointer so we cannot dereference it again on the next line. | 2025-12-09 | not yet calculated | CVE-2022-50677 | https://git.kernel.org/stable/c/35ad87bfe330f7ef6a19f772223c63296d643172 https://git.kernel.org/stable/c/d23006f2a56e11a3103de0ca8b843bf7fd7d76fc https://git.kernel.org/stable/c/f29d127b372e1b7662397d92341d9f7de198ff99 https://git.kernel.org/stable/c/bfce073089cb81482521c65061835aaa6d1a6cc0 https://git.kernel.org/stable/c/f7fde441198a9ecb130c3ccec91ee2131d6998ee https://git.kernel.org/stable/c/1fc9b20a7688000fcf4d7fbaa58e415a3cdda961 https://git.kernel.org/stable/c/a92ce570c81dc0feaeb12a429b4bc65686d17967 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c | 2025-12-09 | not yet calculated | CVE-2022-50678 | https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804 https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984 https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715 https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4 https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17 https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i40e: Fix DMA mappings leak During reallocation of RX buffers, new DMA mappings are created for those buffers. steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done This resulted in crash: i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536 Driver BUG WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50 Call Trace: i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b Missing register, driver bug WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140 Call Trace: xdp_rxq_info_unreg+0x1e/0x50 i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b This was caused because of new buffers with different RX ring count should substitute older ones, but those buffers were freed in i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi, thus kfree on rx_bi caused leak of already mapped DMA. Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally reallocate back to rx_bi when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XSP_SETUP_XSK_POOL handler. | 2025-12-09 | not yet calculated | CVE-2022-50679 | https://git.kernel.org/stable/c/ed5baf3d0a33caaca4cd4073ebb0854cc77a616d https://git.kernel.org/stable/c/94a171c982b8a8137a00721c1e62bc2713435bca https://git.kernel.org/stable/c/5f499596dfa3db9b3172645b6de9e1096a669c95 https://git.kernel.org/stable/c/aae425efdfd1b1d8452260a3cb49344ebf20b1f5 |
| n/a–Malwarebytes 1.0.14 | Malwarebytes 1.0.14 for Linux doesn’t properly compute signatures in some scenarios. This allows a bypass of detection. | 2025-12-12 | not yet calculated | CVE-2023-29144 | https://malwarebytes.com https://www.malwarebytes.com/secure/cves/cve-2023-29144 |
| Tinycontrol–Tinycontrol LAN Controller v | Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication. | 2025-12-09 | not yet calculated | CVE-2023-53739 | ExploitDB-51731 Tinycontrol Product Homepage Zero Science Lab Advisory ID VulnCheck Advisory: Tinycontrol LAN Controller v3 LK3 1.58a Unauthenticated Configuration Backup Disclosure |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB Series – Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify the admin account. | 2025-12-10 | not yet calculated | CVE-2023-53740 | ExploitDB-51458 Product Homepage Official Product Homepage Vendor Homepage Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Admin Password Change |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB Series – Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers. Attackers can exploit the vulnerable API by intercepting and reusing established sessions to remove user accounts without proper authorization. | 2025-12-10 | not yet calculated | CVE-2023-53741 | ExploitDB-51457 Product Homepage Official Product Homepage Vendor Homepage Vendor Security Advisory for ZSL-2023-5773 VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via IP Session Management |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kcsan: Avoid READ_ONCE() in read_instrumented_memory() Haibo Li reported: | Unable to handle kernel paging request at virtual address | ffffff802a0d8d7171 | Mem abort info:o: | ESR = 0x9600002121 | EC = 0x25: DABT (current EL), IL = 32 bitsts | SET = 0, FnV = 0 0 | EA = 0, S1PTW = 0 0 | FSC = 0x21: alignment fault | Data abort info:o: | ISV = 0, ISS = 0x0000002121 | CM = 0, WnR = 0 0 | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000 | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003, | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707 | Internal error: Oops: 96000021 [#1] PREEMPT SMP | Modules linked in: | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted | 5.15.78-android13-8-g63561175bbda-dirty #1 | … | pc : kcsan_setup_watchpoint+0x26c/0x6bc | lr : kcsan_setup_watchpoint+0x88/0x6bc | sp : ffffffc00ab4b7f0 | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001 | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80 | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71 | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060 | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000 | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0 | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8 | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70 | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000 | Call trace: | kcsan_setup_watchpoint+0x26c/0x6bc | __tsan_read2+0x1f0/0x234 | inflate_fast+0x498/0x750 | zlib_inflate+0x1304/0x2384 | __gunzip+0x3a0/0x45c | gunzip+0x20/0x30 | unpack_to_rootfs+0x2a8/0x3fc | do_populate_rootfs+0xe8/0x11c | async_run_entry_fn+0x58/0x1bc | process_one_work+0x3ec/0x738 | worker_thread+0x4c4/0x838 | kthread+0x20c/0x258 | ret_from_fork+0x10/0x20 | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) ) | —[ end trace 613a943cb0a572b6 ]—– The reason for this is that on certain arm64 configuration since e35123d83ee3 (“arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y”), READ_ONCE() may be promoted to a full atomic acquire instruction which cannot be used on unaligned addresses. Fix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply forcing the compiler to do the required access by casting to the appropriate volatile type. In terms of generated code this currently only affects architectures that do not use the default READ_ONCE() implementation. The only downside is that we are not guaranteed atomicity of the access itself, although on most architectures a plain load up to machine word size should still be atomic (a fact the default READ_ONCE() still relies on itself). | 2025-12-08 | not yet calculated | CVE-2023-53742 | https://git.kernel.org/stable/c/706ae665747b629bcf87a2d7e6438602f904b8d5 https://git.kernel.org/stable/c/75c03a8cfc731519236f08c34c7e029ae153a613 https://git.kernel.org/stable/c/f8f2297355513e5e0631e604ef9d7e449c7dcd00 https://git.kernel.org/stable/c/8dec88070d964bfeb4198f34cb5956d89dd1f557 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Free released resource after coalescing release_resource() doesn’t actually free the resource or resource list entry so free the resource list entry to avoid a leak. | 2025-12-08 | not yet calculated | CVE-2023-53743 | https://git.kernel.org/stable/c/4443f3695d581ad1a55f2ef59259dcd0c52402b3 https://git.kernel.org/stable/c/a076e73dd6e619729e1af8d0d802fe52ac5eb2b3 https://git.kernel.org/stable/c/a08713b9d9031683b83b3ecf12bad40a1ca35211 https://git.kernel.org/stable/c/8ec9c1d5d0a5a4744516adb483b97a238892f9d5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe wkup_m3_ipc_get() takes refcount, which should be freed by wkup_m3_ipc_put(). Add missing refcount release in the error paths. | 2025-12-08 | not yet calculated | CVE-2023-53744 | https://git.kernel.org/stable/c/08310f810975c8c9e17c6ffb99fdb76a84e8adb7 https://git.kernel.org/stable/c/6a50350033e0e0854acf59a8413913b4de04bd7d https://git.kernel.org/stable/c/6dbcc493a18dd60947c2168a39df0ec2fe7b5110 https://git.kernel.org/stable/c/e6c6b40c9bf49ce9b5493b146bfeb96359937cfa https://git.kernel.org/stable/c/65305e8c0009a1933679dad5c8196060a10f3c8b https://git.kernel.org/stable/c/8f3c307b580a4a6425896007325bddefc36e8d91 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vector_config If the return value of the uml_parse_vector_ifspec function is NULL, we should call kfree(params) to prevent memory leak. | 2025-12-08 | not yet calculated | CVE-2023-53745 | https://git.kernel.org/stable/c/5c49fb5ad01104acc584405572abf6616d45148e https://git.kernel.org/stable/c/6480c3a12755bf85d6738ab60967e89b809c701a https://git.kernel.org/stable/c/f2b9c4544e3bd60f353732291300097b0e8d8454 https://git.kernel.org/stable/c/276a7298af6a801e9a865282605a79303365ec66 https://git.kernel.org/stable/c/c8583b4655aab44a9796b5c4a681ddcc6fe2f0d0 https://git.kernel.org/stable/c/634a9c139cc1362f6a9cc6cbfe442dbb60ff9f3f https://git.kernel.org/stable/c/8f88c73afe481f93d40801596927e8c0047b6d96 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: fix memory leak in vfio_ap device driver The device release callback function invoked to release the matrix device uses the dev_get_drvdata(device *dev) function to retrieve the pointer to the vfio_matrix_dev object in order to free its storage. The problem is, this object is not stored as drvdata with the device; since the kfree function will accept a NULL pointer, the memory for the vfio_matrix_dev object is never freed. Since the device being released is contained within the vfio_matrix_dev object, the container_of macro will be used to retrieve its pointer. | 2025-12-08 | not yet calculated | CVE-2023-53746 | https://git.kernel.org/stable/c/5195de1d5f66b276683240a896783f7f43c4f664 https://git.kernel.org/stable/c/ee17dea3072dec0bc34399a32fa884e26342e4ea https://git.kernel.org/stable/c/aa2bff25e9bb10c935c7ffe3d5f5975bdccb1749 https://git.kernel.org/stable/c/6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67 https://git.kernel.org/stable/c/7b6a02f5bf15931464c79dfd487c57f76aae3496 https://git.kernel.org/stable/c/8f8cf767589f2131ae5d40f3758429095c701c84 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_destruct(). Because of that, the struct vc_data pointer must be reloaded in the while loop in vcs_write() after console_lock() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 Call Trace: <TASK> __asan_report_load4_noabort (mm/kasan/report_generic.c:380) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_write (drivers/tty/vt/vc_screen.c:664) vfs_write (fs/read_write.c:582 fs/read_write.c:564) … <TASK> Allocated by task 1213: kmalloc_trace (mm/slab_common.c:1064) vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) con_install (drivers/tty/vt/vt.c:3334) tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 drivers/tty/tty_io.c:1392) tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:921) vfs_open (fs/open.c:1052) … Freed by task 4116: kfree (mm/slab_common.c:1016) vc_port_destruct (drivers/tty/vt/vt.c:1044) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2778) … The buggy address belongs to the object at ffff8880beab8800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) The buggy address belongs to the physical page: page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbeab8 head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint | 2025-12-08 | not yet calculated | CVE-2023-53747 | https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2 https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047 https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67 https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup variable *nplanes is provided by user via system call argument. The possible value of q_data->fmt->num_planes is 1-3, while the value of *nplanes can be 1-8. The array access by index i can cause array out-of-bounds. Fix this bug by checking *nplanes against the array size. | 2025-12-08 | not yet calculated | CVE-2023-53748 | https://git.kernel.org/stable/c/48e4e06e2c5fe1fda283d499f91492eda2248bb9 https://git.kernel.org/stable/c/b8e19bf3b4aebd855be01b64674187dcf6d1db51 https://git.kernel.org/stable/c/8fbcf730cb89c3647f3365226fe7014118fa93c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86: fix clear_user_rep_good() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 (“x86: don’t use REP_GOOD or ERMS for user memory clearing”) upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final ‘rep movsb’ in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won’t actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) – not-present page … RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 … Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 (“x86: don’t use REP_GOOD or ERMS for small memory copies”) 20f3337d350c (“x86: don’t use REP_GOOD or ERMS for small memory clearing”) adfcf4231b8c (“x86: don’t use REP_GOOD or ERMS for user memory copies”) * d2c95f9d6802 (“x86: don’t use REP_GOOD or ERMS for user memory clearing”) 3639a535587d (“x86: move stac/clac from user copy routines into callers”) 577e6a7fd50d (“x86: inline the ‘rep movs’ in user copies for the FSRM case”) 8c9b6a88b7e2 (“x86: improve on the non-rep ‘clear_user’ function”) 427fda2c8a49 (“x86: improve on the non-rep ‘copy_user’ function”) * e046fe5a36a9 (“x86: set FSRS automatically on AMD CPUs that have FSRM”) e1f2750edc4a (“x86: remove ‘zerorest’ argument from __copy_user_nocache()”) 034ff37d3407 (“x86: rewrite ‘__copy_user_nocache’ function”) with either the whole series or at a minimum the two marked commits being needed to fix this issue ] | 2025-12-08 | not yet calculated | CVE-2023-53749 | https://git.kernel.org/stable/c/90510aed20a26e1a4dede4ef6b640e6a4122f38f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetched, which will be detected by KASAN as a memory out of bounds condition. Modify to get configs[1] when num_configs is 2. | 2025-12-08 | not yet calculated | CVE-2023-53750 | https://git.kernel.org/stable/c/f85d3cb10f4df5ae3bdb9a9357315c28d781651f https://git.kernel.org/stable/c/27d9a7585b594bb2f9bb1f65e0003814fcc69c75 https://git.kernel.org/stable/c/9063777ca1e2e895c5fdd493ee0c3f18fa710ed4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname TCP_Server_Info::hostname may be updated once or many times during reconnect, so protect its access outside reconnect path as well and then prevent any potential use-after-free bugs. | 2025-12-08 | not yet calculated | CVE-2023-53751 | https://git.kernel.org/stable/c/64d62ac6d6514cba1305bd08e271ec1843bdd612 https://git.kernel.org/stable/c/c511954bf142fe1995aec3c739a9f1a76990283a https://git.kernel.org/stable/c/0b08c4c499200be67d54c439d56e5ea866869945 https://git.kernel.org/stable/c/90c49fce1c43e1cc152695e20363ff5087897c09 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: deal with integer overflows in kmalloc_reserve() Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr); size = kmalloc_size_roundup(size); ptr = kmalloc(size); This allowed various crash as reported by syzbot [1] and Kyle Zeng. Problem is that if @size is bigger than 0x80000001, kmalloc_size_roundup(size) returns 2^32. kmalloc_reserve() uses a 32bit variable (obj_size), so 2^32 is truncated to 0. kmalloc(0) returns ZERO_SIZE_PTR which is not handled by skb allocations. Following trace can be triggered if a netdev->mtu is set close to 0x7fffffff We might in the future limit netdev->mtu to more sensible limit (like KMALLOC_MAX_SIZE). This patch is based on a syzbot report, and also a report and tentative fix from Kyle Zeng. [1] BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline] BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554 CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106 print_report+0xe4/0x4b4 mm/kasan/report.c:398 kasan_report+0x150/0x1ac mm/kasan/report.c:495 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 memset+0x40/0x70 mm/kasan/shadow.c:44 __build_skb_around net/core/skbuff.c:294 [inline] __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 alloc_skb include/linux/skbuff.h:1316 [inline] igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359 add_grec+0x81c/0x1124 net/ipv4/igmp.c:534 igmpv3_send_cr net/ipv4/igmp.c:667 [inline] igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810 call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x54c/0x710 kernel/time/timer.c:1790 run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803 _stext+0x380/0xfbc ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84 invoke_softirq kernel/softirq.c:437 [inline] __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683 irq_exit_rcu+0x14/0x78 kernel/softirq.c:695 el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717 __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724 el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729 el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 | 2025-12-08 | not yet calculated | CVE-2023-53752 | https://git.kernel.org/stable/c/31cf7853a940181593e4472fc56f46574123f9f6 https://git.kernel.org/stable/c/e4ffc47a1c3e5d11a853aa178c9a5136e79412e9 https://git.kernel.org/stable/c/bf7da02d2b8faf324206e1cbe64a4813ff903cc1 https://git.kernel.org/stable/c/915d975b2ffa58a14bfcf16fafe00c41315949ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix mapping to non-allocated address [Why] There is an issue mapping non-allocated location of memory. It would allocate gpio registers from an array out of bounds. [How] Patch correct numbers of bounds for using. | 2025-12-08 | not yet calculated | CVE-2023-53753 | https://git.kernel.org/stable/c/8ce8a443ddd9002861a4ee8a7e33a0c02717422f https://git.kernel.org/stable/c/24aaf6603600d6d1159973c809ea2737664b28c4 https://git.kernel.org/stable/c/9190d4a263264eabf715f5fc1827da45e3fdc247 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4) returns false, drbl_regs_memmap_p is not remapped. This passes a NULL pointer to iounmap(), which can trigger a WARN() on certain arches. When if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4) returns true, drbl_regs_memmap_p may has been remapped and ctrl_regs_memmap_p is not remapped. This is a resource leak and passes a NULL pointer to iounmap(). To fix these issues, we need to add null checks before iounmap(), and change some goto labels. | 2025-12-08 | not yet calculated | CVE-2023-53754 | https://git.kernel.org/stable/c/74d90f92eafe8ccd12827228236a28a94eda6bcc https://git.kernel.org/stable/c/bab8dc38b1a0a12bc064fc064269033bdcf5b88e https://git.kernel.org/stable/c/fd8c83d8375b9dac1949f2753485a5c055ebfad0 https://git.kernel.org/stable/c/e6f1ef4a53856ed000b0f7265d7e16dcb00f4243 https://git.kernel.org/stable/c/631d0fab143bef85ea0813596f1dda36e2b9724c https://git.kernel.org/stable/c/7e5a54d1f00725a739dcd20f616d82eff4f764bd https://git.kernel.org/stable/c/91a0c0c1413239d0548b5aac4c82f38f6d53a91e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: check for null desc before calling pt_cmd_callback Resolves a panic that can occur on AMD systems, typically during host shutdown, after the PTDMA driver had been exercised. The issue was the pt_issue_pending() function is mistakenly assuming that there will be at least one descriptor in the Submitted queue when the function is called. However, it is possible that both the Submitted and Issued queues could be empty, which could result in pt_cmd_callback() being mistakenly called with a NULL pointer. Ref: Bugzilla Bug 216856. | 2025-12-08 | not yet calculated | CVE-2023-53755 | https://git.kernel.org/stable/c/8ae2113702613207efc05453bc9a3df2b992bf45 https://git.kernel.org/stable/c/5bba023b1241c7af5d40447503a68de282ad5190 https://git.kernel.org/stable/c/928469986171a6f763b34b039427f5667ba3fd50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables ‘Enlightened VMCS’ and ‘Enlightened MSR Bitmap’ when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark that the msr bitmap was changed. vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr -> vmx_msr_bitmap_l01_changed which in the end calls this function. The function checks for current_vmcs if it is null but the check is insufficient because current_vmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by current_vmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while current_vmcs is accessed multiple times from evmcs_touch_msr_bitmap() which leads to crash. The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs. BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI … RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel] … Call Trace: vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel] vmx_vcpu_create+0xe6/0x540 [kvm_intel] kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm] kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm] kvm_vm_ioctl+0x53f/0x790 [kvm] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-08 | not yet calculated | CVE-2023-53756 | https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2 https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4 https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-08 | not yet calculated | CVE-2023-53757 | https://git.kernel.org/stable/c/d6b99b9b5e354f9c801a3cc3b1d4881d920e1718 https://git.kernel.org/stable/c/4545d7a70ce0fc78b1d3c33c4a0939a86f363b57 https://git.kernel.org/stable/c/c7d78d36e19eeb74a1c12799fbadbcdbaf36c0bd https://git.kernel.org/stable/c/cee12e8be8e227731a845ae43a4c9ce2e404be45 https://git.kernel.org/stable/c/88cb93d3a16f706bd7213f8a5882c394e5d10c4e https://git.kernel.org/stable/c/bb755e020abc24793b9411c9419ed43f07f9a03d https://git.kernel.org/stable/c/91e149b201bdb68c77011d50d011e47fadbcc8bd https://git.kernel.org/stable/c/9419e700021a393f67be36abd0c4f3acc6139041 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() An early error exit in atmel_qspi_remove() doesn’t prevent the device unbind. So this results in an spi controller with an unbound parent and unmapped register space (because devm_ioremap_resource() is undone). So using the remaining spi controller probably results in an oops. Instead unregister the controller unconditionally and only skip hardware access and clk disable. Also add a warning about resume failing and return zero unconditionally. The latter has the only effect to suppress a less helpful error message by the spi core. | 2025-12-08 | not yet calculated | CVE-2023-53758 | https://git.kernel.org/stable/c/f6974fb20499e3b6522daa7aec822aac11dfcf42 https://git.kernel.org/stable/c/618770d4d8e40b7f8ed9eb5f210cd9164dfac47d https://git.kernel.org/stable/c/77806d7c9bebe40a8cdce2b8d30fbe6511745df8 https://git.kernel.org/stable/c/9448bc1dee65f86c0fe64d9dea8b410af0586886 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix data race on device refcount The hidraw_open() function increments the hidraw device reference counter. The counter has no dedicated synchronization mechanism, resulting in a potential data race when concurrently opening a device. The race is a regression introduced by commit 8590222e4b02 (“HID: hidraw: Replace hidraw device table mutex with a rwsem”). While minors_rwsem is intended to protect the hidraw_table itself, by instead acquiring the lock for writing, the reference counter is also protected. This is symmetrical to hidraw_release(). | 2025-12-08 | not yet calculated | CVE-2023-53759 | https://git.kernel.org/stable/c/879e79c3aead41b8aa2e91164354b30bd1c4ef3b https://git.kernel.org/stable/c/ff348eabd97577da974d3db7038857f28c61d2bd https://git.kernel.org/stable/c/05b47034e2488c2924e5c032e20a1979d012b5b5 https://git.kernel.org/stable/c/944ee77dc6ec7b0afd8ec70ffc418b238c92f12b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock issue When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting for the same lock. This can happen in ufshcd_handle_mcq_cq_events() and also in ufs_mtk_mcq_intr(). The following warning message will be generated when &hwq->cq_lock is used in IRQ context with IRQ enabled. Use ufshcd_mcq_poll_cqe_lock() with spin_lock_irqsave instead of spin_lock to resolve the deadlock issue. [name:lockdep&]WARNING: inconsistent lock state [name:lockdep&]——————————– [name:lockdep&]inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. [name:lockdep&]kworker/u16:4/260 [HC0[0]:SC0[0]:HE1:SE1] takes: ffffff8028444600 (&hwq->cq_lock){?.-.}-{2:2}, at: ufshcd_mcq_poll_cqe_lock+0x30/0xe0 [name:lockdep&]{IN-HARDIRQ-W} state was registered at: lock_acquire+0x17c/0x33c _raw_spin_lock+0x5c/0x7c ufshcd_mcq_poll_cqe_lock+0x30/0xe0 ufs_mtk_mcq_intr+0x60/0x1bc [ufs_mediatek_mod] __handle_irq_event_percpu+0x140/0x3ec handle_irq_event+0x50/0xd8 handle_fasteoi_irq+0x148/0x2b0 generic_handle_domain_irq+0x4c/0x6c gic_handle_irq+0x58/0x134 call_on_irq_stack+0x40/0x74 do_interrupt_handler+0x84/0xe4 el1_interrupt+0x3c/0x78 <snip> Possible unsafe locking scenario: CPU0 —- lock(&hwq->cq_lock); <Interrupt> lock(&hwq->cq_lock); *** DEADLOCK *** 2 locks held by kworker/u16:4/260: [name:lockdep&] stack backtrace: CPU: 7 PID: 260 Comm: kworker/u16:4 Tainted: G S W OE 6.1.17-mainline-android14-2-g277223301adb #1 Workqueue: ufs_eh_wq_0 ufshcd_err_handler Call trace: dump_backtrace+0x10c/0x160 show_stack+0x20/0x30 dump_stack_lvl+0x98/0xd8 dump_stack+0x20/0x60 print_usage_bug+0x584/0x76c mark_lock_irq+0x488/0x510 mark_lock+0x1ec/0x25c __lock_acquire+0x4d8/0xffc lock_acquire+0x17c/0x33c _raw_spin_lock+0x5c/0x7c ufshcd_mcq_poll_cqe_lock+0x30/0xe0 ufshcd_poll+0x68/0x1b0 ufshcd_transfer_req_compl+0x9c/0xc8 ufshcd_err_handler+0x3bc/0xea0 process_one_work+0x2f4/0x7e8 worker_thread+0x234/0x450 kthread+0x110/0x134 ret_from_fork+0x10/0x20 | 2025-12-08 | not yet calculated | CVE-2023-53760 | https://git.kernel.org/stable/c/2ce8c49c7b53e0a2258b833eeab16a6d78f732d1 https://git.kernel.org/stable/c/948afc69615167a3c82430f99bfd046332b89912 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT: ————[ cut here ]———— usb 3-1: BOGUS control dir, pipe 80000b80 doesn’t match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0. | 2025-12-08 | not yet calculated | CVE-2023-53761 | https://git.kernel.org/stable/c/7cef7681aa7719ff585dd06113a061ab2def7da0 https://git.kernel.org/stable/c/6340e432cf70bf156b19c6f5dd737d940eca02a3 https://git.kernel.org/stable/c/3b43d9df27a708f4079d518b879f517fea150a91 https://git.kernel.org/stable/c/0ced12bdf624d8d8977ddb16eb130cd479d92bcf https://git.kernel.org/stable/c/50775a046c68e1d157d5e413cae2e5e00da1c463 https://git.kernel.org/stable/c/94d25e9128988c6a1fc9070f6e98215a95795bd8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a controller event. To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hci_abort_conn_sync is guaranteed to call hci_conn_del. UAF crash log: ================================================================== BUG: KASAN: slab-use-after-free in hci_set_powered_sync (net/bluetooth/hci_sync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124 CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xdd/0x160 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] kasan_report+0xa6/0xe0 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth] ? __pfx_lock_release+0x10/0x10 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_cmd_sync_work+0x137/0x220 [bluetooth] process_one_work+0x526/0x9d0 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? mark_held_locks+0x1a/0x90 worker_thread+0x92/0x630 ? __pfx_worker_thread+0x10/0x10 kthread+0x196/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 1782: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 hci_conn_add+0xa5/0xa80 [bluetooth] hci_bind_cis+0x881/0x9b0 [bluetooth] iso_connect_cis+0x121/0x520 [bluetooth] iso_sock_connect+0x3f6/0x790 [bluetooth] __sys_connect+0x109/0x130 __x64_sys_connect+0x40/0x50 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 695: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 __kmem_cache_free+0x14d/0x2e0 device_release+0x5d/0xf0 kobject_put+0xdf/0x270 hci_disconn_complete_evt+0x274/0x3a0 [bluetooth] hci_event_packet+0x579/0x7e0 [bluetooth] hci_rx_work+0x287/0xaa0 [bluetooth] process_one_work+0x526/0x9d0 worker_thread+0x92/0x630 kthread+0x196/0x1e0 ret_from_fork+0x2c/0x50 ================================================================== | 2025-12-08 | not yet calculated | CVE-2023-53762 | https://git.kernel.org/stable/c/a30c074f0b5b7f909a15c978fbc96a29e2f94e42 https://git.kernel.org/stable/c/ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4 https://git.kernel.org/stable/c/94d9ba9f9888b748d4abd2aa1547af56ae85f772 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “f2fs: fix to do sanity check on extent cache correctly” syzbot reports a f2fs bug as below: UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19 index 1409 is out of range for type ‘__le32[923]’ (aka ‘unsigned int[923]’) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 inline_data_addr fs/f2fs/f2fs.h:3275 [inline] __recover_inline_status fs/f2fs/inode.c:113 [inline] do_read_inode fs/f2fs/inode.c:480 [inline] f2fs_iget+0x4730/0x48b0 fs/f2fs/inode.c:604 f2fs_fill_super+0x640e/0x80c0 fs/f2fs/super.c:4601 mount_bdev+0x276/0x3b0 fs/super.c:1391 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue was bisected to: commit d48a7b3a72f121655d95b5157c32c7d555e44c05 Author: Chao Yu <chao@kernel.org> Date: Mon Jan 9 03:49:20 2023 +0000 f2fs: fix to do sanity check on extent cache correctly The root cause is we applied both v1 and v2 of the patch, v2 is the right fix, so it needs to revert v1 in order to fix reported issue. v1: commit d48a7b3a72f1 (“f2fs: fix to do sanity check on extent cache correctly”) https://lore.kernel.org/lkml/20230109034920.492914-1-chao@kernel.org/ v2: commit 269d11948100 (“f2fs: fix to do sanity check on extent cache correctly”) https://lore.kernel.org/lkml/20230207134808.1827869-1-chao@kernel.org/ | 2025-12-08 | not yet calculated | CVE-2023-53763 | https://git.kernel.org/stable/c/0d545a8e77cbd1fbad311b18952e38e0f7672ab4 https://git.kernel.org/stable/c/ea35767edc78327c686e21fe1231b668f11be0db https://git.kernel.org/stable/c/bbb3cd66301ef752fae2922452660f228d69bcaf https://git.kernel.org/stable/c/958ccbbf1ce716d77c7cfa79ace50a421c1eed73 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Handle lock during peer_id find ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock. Currently the WBM error path does not hold the lock and calling that function, leads to the following lockdep_assert()in QCN9274: [105162.160893] ————[ cut here ]———— [105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)] [105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3 [105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019 [105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00 [105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246 [105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000 [105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7 [105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000 [105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0 [105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040 [105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000 [105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0 [105162.161041] Call Trace: [105162.161046] <IRQ> [105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k] [105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k] [105162.161084] ? __lock_acquire+0x4ca/0x1a60 [105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k] [105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k] [105162.161133] __napi_poll+0x22/0x260 [105162.161141] net_rx_action+0x2f8/0x380 [105162.161153] __do_softirq+0xd0/0x4c9 [105162.161162] irq_exit_rcu+0x88/0xe0 [105162.161169] common_interrupt+0xa5/0xc0 [105162.161174] </IRQ> [105162.161179] <TASK> [105162.161184] asm_common_interrupt+0x22/0x40 Handle spin lock/unlock in WBM error path to hold the necessary lock expected by ath12k_peer_find_by_id(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2023-53764 | https://git.kernel.org/stable/c/9faf7c696610a348ca94a224d55c946b19b3279d https://git.kernel.org/stable/c/95a389e2ff3212d866cc51c77d682d2934074eb8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm cache: free background tracker’s queued work in btracker_destroy Otherwise the kernel can BUG with: [ 2245.426978] ============================================================================= [ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown() [ 2245.445233] —————————————————————————– [ 2245.445233] [ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19 [ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021 [ 2245.483646] Call Trace: [ 2245.486100] <TASK> [ 2245.488206] dump_stack_lvl+0x34/0x48 [ 2245.491878] slab_err+0x95/0xcd [ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136 [ 2245.499821] kmem_cache_destroy+0x49/0x130 [ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache] [ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq] [ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache] [ 2245.518834] destroy+0xc0/0x110 [dm_cache] [ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod] [ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod] [ 2245.532102] dev_remove+0x117/0x190 [dm_mod] [ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod] [ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod] [ 2245.544773] __x64_sys_ioctl+0x8a/0xc0 [ 2245.548524] do_syscall_64+0x5c/0x90 [ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30 [ 2245.556897] ? do_syscall_64+0x69/0x90 [ 2245.560648] ? do_syscall_64+0x69/0x90 [ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 2245.569447] RIP: 0033:0x7fe52583ec6b … [ 2245.646771] ————[ cut here ]———— [ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache] [ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130 Found using: lvm2-testsuite –only “cache-single-split.sh” Ben bisected and found that commit 0495e337b703 (“mm/slab_common: Deleting kobject in kmem_cache_destroy() without holding slab_mutex/cpu_hotplug_lock”) first exposed dm-cache’s incomplete cleanup of its background tracker work objects. | 2025-12-08 | not yet calculated | CVE-2023-53765 | https://git.kernel.org/stable/c/673a3af21d5e3ed769f3eaed0c888244290a3506 https://git.kernel.org/stable/c/ed56ad5cacb7a3aeb611494d5d66e2399d2bfecc https://git.kernel.org/stable/c/95ab80a8a0fef2ce0cc494a306dd283948066ce7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Check for read-only mounted filesystem in txBegin This patch adds a check for read-only mounted filesystem in txBegin before starting a transaction potentially saving from NULL pointer deref. | 2025-12-08 | not yet calculated | CVE-2023-53766 | https://git.kernel.org/stable/c/a88efca805bea93cea9187dfd00835aa7093bf1b https://git.kernel.org/stable/c/97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 https://git.kernel.org/stable/c/2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 https://git.kernel.org/stable/c/5c094ca994824e038b6a97835ded4e5d1d808504 https://git.kernel.org/stable/c/2febd5f81e4bfba61d9f374dcca628aff374cc56 https://git.kernel.org/stable/c/aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c https://git.kernel.org/stable/c/b0ed8ed0428ee96092da6fefa5cfacbe4abed701 https://git.kernel.org/stable/c/95e2b352c03b0a86c5717ba1d24ea20969abcacc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Currently the buffer pointed by event is not freed in case ATH12K_FLAG_UNREGISTERING bit is set, this causes memory leak. Add a goto skip instead of return, to ensure event and all the list entries are freed properly. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2023-53767 | https://git.kernel.org/stable/c/a87f59041a7f77b4bdab05cea60ac6adc69dc5d2 https://git.kernel.org/stable/c/960412bee0ea75f6b3c2dca4a3535795ee84c47a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regmap-irq: Fix out-of-bounds access when allocating config buffers When allocating the 2D array for handling IRQ type registers in regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix with num_config_bases rows and num_config_regs columns. This is currently handled by allocating a buffer to hold a pointer for each row (i.e. num_config_bases). After that, the logic attempts to allocate the memory required to hold the register configuration for each row. However, instead of doing this allocation for each row (i.e. num_config_bases allocations), the logic erroneously does this allocation num_config_regs number of times. This scenario can lead to out-of-bounds accesses when num_config_regs is greater than num_config_bases. Fix this by updating the terminating condition of the loop that allocates the memory for holding the register configuration to allocate memory only for each row in the matrix. Amit Pundir reported a crash that was occurring on his db845c device due to memory corruption (see “Closes” tag for Amit’s report). The KASAN report below helped narrow it down to this issue: [ 14.033877][ T1] ================================================================== [ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364 [ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1 [ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850 [ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8 [ 14.255669][ T1] The buggy address is located 0 bytes inside of [ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858) | 2025-12-08 | not yet calculated | CVE-2023-53768 | https://git.kernel.org/stable/c/b1a726ad33e585e3d9fa70712df31ae105e4532c https://git.kernel.org/stable/c/6e7b2337ecd028bd888a1a0be4115b8a88faf838 https://git.kernel.org/stable/c/963b54df82b6d6206d7def273390bf3f7af558e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virt/coco/sev-guest: Double-buffer messages The encryption algorithms read and write directly to shared unencrypted memory, which may leak information as well as permit the host to tamper with the message integrity. Instead, copy whole messages in or out as needed before doing any computation on them. | 2025-12-08 | not yet calculated | CVE-2023-53769 | https://git.kernel.org/stable/c/577a64725bfd77645986168e953d405067ee565b https://git.kernel.org/stable/c/c27dafc4aa50a29ec927b3aa84ac7b430071f682 https://git.kernel.org/stable/c/4b69c63f716cfda38e1210e65b68f67f6cee2ddf https://git.kernel.org/stable/c/965006103a14703cc42043bbf9b5e0cdf7a468ad |
| MiniDVBLinux–MiniDVBLinux(TM) Distribution (MLD) | MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with ‘action=getconfig’ to retrieve a complete system configuration archive containing sensitive credentials. | 2025-12-09 | not yet calculated | CVE-2023-53770 | ExploitDB-51091 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5713) VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Configuration Download via Backup Endpoint |
| MiniDVBLinux–MiniDVBLinux Change Root Password PoC | MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials. | 2025-12-09 | not yet calculated | CVE-2023-53771 | ExploitDB-51094 Zero Science Lab Disclosure (ZSL-2022-5715) Official Product Homepage VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Root Password Change via System Setup |
| MiniDVBLinux–MiniDVBLinux | MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the ‘file’ GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device. | 2025-12-09 | not yet calculated | CVE-2023-53772 | ExploitDB-51097 MiniDVBLinux Product Homepage Zero Science Lab Disclosure (ZSL-2022-5719) VulnCheck Advisory: MiniDVBLinux 5.4 Arbitrary File Read Vulnerability via About Page |
| MiniDVBLinux–MiniDVBLinux | MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication. | 2025-12-09 | not yet calculated | CVE-2023-53773 | ExploitDB-51095 MiniDVBLinux Product Homepage Zero Science Lab Disclosure (ZSL-2022-5716) VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Live Stream Disclosure via tv_action.sh |
| MiniDVBLinux–Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit | MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely. | 2025-12-09 | not yet calculated | CVE-2023-53774 | ExploitDB-51093 SVDRP Documentation Zero Science Lab Disclosure (ZSL-2022-5714) MiniDVBLinux Product Homepage VulnCheck Advisory: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol Remote Code Execution |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB Series – Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change user passwords by exploiting weak session management controls. Attackers can reuse IP-bound session identifiers to issue unauthorized requests to the userManager API and modify user credentials without proper authentication. | 2025-12-10 | not yet calculated | CVE-2023-53775 | ExploitDB-51456 Screen Product Homepage DB Broadcast Official Product Page DB Broadcast Website Zero Science Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB Series – Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the session binding mechanism to perform critical operations on the transmitter. | 2025-12-10 | not yet calculated | CVE-2023-53776 | ExploitDB-51459 Product Homepage Vendor Homepage Product Homepage Vendor Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won’t be submitted. As a consequence, the corresponding file pages will remain locked forever. It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 — The tail pcluster is 5; Chain 2: 5->1->2 — The tail pcluster is 2. Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2. Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let’s avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it’s needed to add it back. Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I’m not sure about the overall system impacts of not having this compared with implementation complexity. | 2025-12-09 | not yet calculated | CVE-2023-53777 | https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191 https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2 https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2 https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Clean up integer overflow checking in map_user_pages() The encode_dma() function has some validation on in_trans->size but it would be more clear to move those checks to find_and_map_user_pages(). The encode_dma() had two checks: if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) return -EINVAL; The in_trans->addr variable is the starting address. The in_trans->size variable is the total size of the transfer. The transfer can occur in parts and the resources->xferred_dma_size tracks how many bytes we have already transferred. This patch introduces a new variable “remaining” which represents the amount we want to transfer (in_trans->size) minus the amount we have already transferred (resources->xferred_dma_size). I have modified the check for if in_trans->size is zero to instead check if in_trans->size is less than resources->xferred_dma_size. If we have already transferred more bytes than in_trans->size then there are negative bytes remaining which doesn’t make sense. If there are zero bytes remaining to be copied, just return success. The check in encode_dma() checked that “addr + size” could not overflow and barring a driver bug that should work, but it’s easier to check if we do this in parts. First check that “in_trans->addr + resources->xferred_dma_size” is safe. Then check that “xfer_start_addr + remaining” is safe. My final concern was that we are dealing with u64 values but on 32bit systems the kmalloc() function will truncate the sizes to 32 bits. So I calculated “total = in_trans->size + offset_in_page(xfer_start_addr);” and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit systems. | 2025-12-09 | not yet calculated | CVE-2023-53778 | https://git.kernel.org/stable/c/d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3 https://git.kernel.org/stable/c/96d3c1cadedb6ae2e8965e19cd12caa244afbd9c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: dln2: Fix memory leak in dln2_probe() When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets to call usb_put_dev() to decrease the refcount of dln2->usb_dev. Fix this by adding usb_put_dev() in the error handling code of dln2_probe(). | 2025-12-09 | not yet calculated | CVE-2023-53779 | https://git.kernel.org/stable/c/aa5a8673d71124e7dcdd497ec2accebc15bd6ca3 https://git.kernel.org/stable/c/71fa6f134d13822a5dd906327de04aad8e903e49 https://git.kernel.org/stable/c/1e453cb55014367a84655203c31d57dfa87e005e https://git.kernel.org/stable/c/6a1a72a8cfdad6911a7167405b63545ad781fbe2 https://git.kernel.org/stable/c/1fa3fb4f70184254af437ccd59fd1c091a90d518 https://git.kernel.org/stable/c/77f43c014a770c4dcbdeed7cda6884c29382eb0f https://git.kernel.org/stable/c/fa045c911f0bfc0305c71618ab5630153faf86a4 https://git.kernel.org/stable/c/96da8f148396329ba769246cb8ceaa35f1ddfc48 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix FCLK pstate change underflow [Why] Currently we set FCLK p-state change watermark calculated based on dummy p-state latency when UCLK p-state is not supported [How] Calculate FCLK p-state change watermark based on on FCLK pstate change latency in case UCLK p-state is not supported | 2025-12-09 | not yet calculated | CVE-2023-53780 | https://git.kernel.org/stable/c/4bdfa48d74649898468a0bf5c8b8a48dded77b4a https://git.kernel.org/stable/c/6853d56dba56d1c24db403ff3885c71e18d572c4 https://git.kernel.org/stable/c/972243f973eb0821084e5833d5f7f4ed025f42da |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric’s ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket’s sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket’s TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ> | 2025-12-09 | not yet calculated | CVE-2023-53781 | https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137 https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dccp: Fix out of bounds access in DCCP error handler There was a previous attempt to fix an out-of-bounds access in the DCCP error handlers, but that fix assumed that the error handlers only want to access the first 8 bytes of the DCCP header. Actually, they also look at the DCCP sequence number, which is stored beyond 8 bytes, so an explicit pskb_may_pull() is required. | 2025-12-09 | not yet calculated | CVE-2023-53782 | https://git.kernel.org/stable/c/3533e10272555c422a7d51ebc0ce8c483429f7f2 https://git.kernel.org/stable/c/177212bf6dc1ff2d13d0409cddc5c9e81feec63d https://git.kernel.org/stable/c/7a7dd70cb954d3efa706a429687ded88c02496fa https://git.kernel.org/stable/c/4b8a938e329ae4eb54b73b0c87b5170607b038a8 https://git.kernel.org/stable/c/6ecf09699eb1554299aa1e7fd13e9e80f656c2f9 https://git.kernel.org/stable/c/f8a7f10a1dccf9868ff09342a73dce27501b86df https://git.kernel.org/stable/c/d8171411a661253e6271fa10b65b46daf1b6471c https://git.kernel.org/stable/c/ec620c34f5fa5d055f9f6136a387755db6157712 https://git.kernel.org/stable/c/977ad86c2a1bcaf58f01ab98df5cc145083c489c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-iocost: fix divide by 0 error in calc_lcoefs() echo max of u64 to cost.model can cause divide by 0 error. # echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model divide error: 0000 [#1] PREEMPT SMP RIP: 0010:calc_lcoefs+0x4c/0xc0 Call Trace: <TASK> ioc_refresh_params+0x2b3/0x4f0 ioc_cost_model_write+0x3cb/0x4c0 ? _copy_from_iter+0x6d/0x6c0 ? kernfs_fop_write_iter+0xfc/0x270 cgroup_file_write+0xa0/0x200 kernfs_fop_write_iter+0x17d/0x270 vfs_write+0x414/0x620 ksys_write+0x73/0x160 __x64_sys_write+0x1e/0x30 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd calc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL, overflow would happen if bps plus IOC_PAGE_SIZE is greater than ULLONG_MAX, it can cause divide by 0 error. Fix the problem by setting basecost | 2025-12-09 | not yet calculated | CVE-2023-53783 | https://git.kernel.org/stable/c/9e8bf9f95f7a299fa9ea45b678d001806ad5e12c https://git.kernel.org/stable/c/6e291810fe83a384700eb24a1f714966391ed562 https://git.kernel.org/stable/c/3538ade9d8c2ba41088e395de916f2599fadba8f https://git.kernel.org/stable/c/bf8eb1fd6110871e6232e8e7efe399276ef7e6f6 https://git.kernel.org/stable/c/b96d7b4a9745fbd0c8384608ceb1f50415e862fa https://git.kernel.org/stable/c/984af1e66b4126cf145153661cc24c213e2ec231 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm: bridge: dw_hdmi: fix connector access for scdc Commit 5d844091f237 (“drm/scdc-helper: Pimp SCDC debugs”) changed the scdc interface to pick up an i2c adapter from a connector instead. However, in the case of dw-hdmi, the wrong connector was being used to pass i2c adapter information, since dw-hdmi’s embedded connector structure is only populated when the bridge attachment callback explicitly asks for it. drm-meson is handling connector creation, so this won’t happen, leading to a NULL pointer dereference. Fix it by having scdc functions access dw-hdmi’s current connector pointer instead, which is assigned during the bridge enablement stage. [narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag] | 2025-12-09 | not yet calculated | CVE-2023-53784 | https://git.kernel.org/stable/c/552f79aa9e801ed4f74d6b3221af78042ba4f235 https://git.kernel.org/stable/c/98703e4e061fb8715c7613cd227e32cdfd136b23 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: don’t assume adequate headroom for SDIO headers mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that adequate headroom will be available in the passed skb. This assumption typically is satisfied when the skb was allocated in the net core for transmission via the mt7921 netdev (although even that is only an optimization and is not strictly guaranteed), but the assumption is sometimes not satisfied when the skb originated in the receive path of another netdev and was passed through to the mt7921, such as by the bridge layer. Blindly prepending bytes to an skb is always wrong. This commit introduces a call to skb_cow_head() before the call to mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be pushed onto the skb. Without this fix, I can trivially cause kernel panics by bridging an MT7921AU-based USB 802.11ax interface with an Ethernet interface on an Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet adapter and also on an ARM-based Raspberry Pi 1 using its onboard SMSC9512 USB Ethernet adapter. Note that the panics do not occur in every system configuration, as they occur only if the receiving netdev leaves less headroom in its received skbs than the mt7921 needs for its SDIO headers. Here is an example stack trace of this panic on Raspberry Pi OS Lite 2023-02-21 running kernel 6.1.24+ [1]: skb_panic from skb_push+0x44/0x48 skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common] mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb] mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76] __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76] mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76] mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common] mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76] __mt76_worker_fn [mt76] from kthread+0xbc/0xe0 kthread from ret_from_fork+0x14/0x34 After this fix, bridging the mt7921 interface works fine on both of my previously problematic systems. [1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a | 2025-12-09 | not yet calculated | CVE-2023-53785 | https://git.kernel.org/stable/c/5c8bbb79c7cbca65534badf360f3b1145759c7bc https://git.kernel.org/stable/c/414c0c04703423b78bc9dea1aa6493334dc61f6e https://git.kernel.org/stable/c/98c4d0abf5c478db1ad126ff0c187dbb84c0803c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm flakey: fix a crash with invalid table line This command will crash with NULL pointer dereference: dmsetup create flakey –table “0 `blockdev –getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512” Fix the crash by checking if arg_name is non-NULL before comparing it. | 2025-12-09 | not yet calculated | CVE-2023-53786 | https://git.kernel.org/stable/c/f95cb1526669ccdf7eb12eefd57a893953e3595f https://git.kernel.org/stable/c/12849ed107c0b2869fb775c81208050899006f07 https://git.kernel.org/stable/c/337b7af273562b73c46ef77a724604ad139ca762 https://git.kernel.org/stable/c/a1e3fffe02e05c05357af91364ac0fc1ed425b5b https://git.kernel.org/stable/c/f76fcb9d43ec014ac4a1bb983768696d5b032df9 https://git.kernel.org/stable/c/cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc https://git.kernel.org/stable/c/83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0 https://git.kernel.org/stable/c/8258d84a7917aeece773716518deadb7ad776cb7 https://git.kernel.org/stable/c/98dba02d9a93eec11bffbb93c7c51624290702d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: fix null pointer deref with partial DT config When some of the da9063 regulators do not have corresponding DT nodes a null pointer dereference occurs on boot because such regulators have no init_data causing the pointers calculated in da9063_check_xvp_constraints() to be invalid. Do not dereference them in this case. | 2025-12-09 | not yet calculated | CVE-2023-53787 | https://git.kernel.org/stable/c/04a025b17d83d07924e5e32508c72536ab8f42d9 https://git.kernel.org/stable/c/98e2dd5f7a8be5cb2501a897e96910393a49f0ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() tuning_ctl_set() might have buffer overrun at (X) if it didn’t break from loop by matching (A). static int tuning_ctl_set(…) { for (i = 0; i < TUNING_CTLS_COUNT; i++) (A) if (nid == ca0132_tuning_ctls[i].nid) break; snd_hda_power_up(…); (X) dspio_set_param(…, ca0132_tuning_ctls[i].mid, …); snd_hda_power_down(…); ^ return 1; } We will get below error by cppcheck sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 for (i = 0; i < TUNING_CTLS_COUNT; i++) ^ sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, ^ This patch cares non match case. | 2025-12-09 | not yet calculated | CVE-2023-53788 | https://git.kernel.org/stable/c/ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea https://git.kernel.org/stable/c/3590498117a11aa1f92a97e8a04d95320e347ebd https://git.kernel.org/stable/c/7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99 https://git.kernel.org/stable/c/baef27176ea5fdc7ad0947e2dc7733855e35db71 https://git.kernel.org/stable/c/d23f65f08247068576a01e28b297e995b7dc3965 https://git.kernel.org/stable/c/32854bc91ae7debcdefdc7ae881ed83385a04792 https://git.kernel.org/stable/c/734a3deb6614e3597e7e9ef7fb6006c593c5ee18 https://git.kernel.org/stable/c/98e5eb110095ec77cb6d775051d181edbf9cd3cf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Improve page fault error reporting If IOMMU domain for device group is not setup properly then we may hit IOMMU page fault. Current page fault handler assumes that domain is always setup and it will hit NULL pointer derefence (see below sample log). Lets check whether domain is setup or not and log appropriate message. Sample log: ———- amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6 BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89 Hardware name: xxx RIP: 0010:report_iommu_fault+0x11/0x90 […] Call Trace: <TASK> amd_iommu_int_thread+0x60c/0x760 ? __pfx_irq_thread_fn+0x10/0x10 irq_thread_fn+0x1f/0x60 irq_thread+0xea/0x1a0 ? preempt_count_add+0x6a/0xa0 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xe9/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> [joro: Edit commit message] | 2025-12-09 | not yet calculated | CVE-2023-53789 | https://git.kernel.org/stable/c/be8301e2d5a8b95c04ae8e35d7bfee7b0f03f83a https://git.kernel.org/stable/c/446080b353f048b1fddaec1434cb3d27b5de7efe https://git.kernel.org/stable/c/996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Zeroing allocated object from slab in bpf memory allocator Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse will reinitialize special fields in map value (e.g., bpf_spin_lock), but lookup procedure may still access these special fields, and it may lead to hard-lockup as shown below: NMI backtrace for cpu 16 CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0 …… Call Trace: <TASK> copy_map_value_locked+0xb7/0x170 bpf_map_copy_value+0x113/0x3c0 __sys_bpf+0x1c67/0x2780 __x64_sys_bpf+0x1c/0x20 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 …… </TASK> For htab map, just like the preallocated case, these is no need to initialize these special fields in map value again once these fields have been initialized. For preallocated htab map, these fields are initialized through __GFP_ZERO in bpf_map_area_alloc(), so do the similar thing for non-preallocated htab in bpf memory allocator. And there is no need to use __GFP_ZERO for per-cpu bpf memory allocator, because __alloc_percpu_gfp() does it implicitly. | 2025-12-09 | not yet calculated | CVE-2023-53790 | https://git.kernel.org/stable/c/678ea18d6240299fd77d7000c8b1d7e5f274c8af https://git.kernel.org/stable/c/5d447e04290e78bdc1a3a6c321320d384e09c2f1 https://git.kernel.org/stable/c/997849c4b969034e225153f41026657def66d286 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md: fix warning for holder mismatch from export_rdev() Commit a1d767191096 (“md: use mddev->external to select holder in export_rdev()”) fix the problem that ‘claim_rdev’ is used for blkdev_get_by_dev() while ‘rdev’ is used for blkdev_put(). However, if mddev->external is changed from 0 to 1, then ‘rdev’ is used for blkdev_get_by_dev() while ‘claim_rdev’ is used for blkdev_put(). And this problem can be reporduced reliably by following: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid=”” runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap ‘clean_up_test’ EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die “create md0 failed” add_by_sysfs & pid=”$pid $!” remove_by_sysfs & pid=”$pid $!” sleep $runtime exit 0 Test cmd: ./test –save-logs –logdir=/tmp/ –keep-going –dev=loop –tests=23rdev-lifetime Test result: ————[ cut here ]———— WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330 Modules linked in: multipath md_mod loop CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50 RIP: 0010:blkdev_put+0x27c/0x330 Call Trace: <TASK> export_rdev.isra.23+0x50/0xa0 [md_mod] mddev_unlock+0x19d/0x300 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fix the problem by recording if ‘rdev’ is used as holder. | 2025-12-09 | not yet calculated | CVE-2023-53791 | https://git.kernel.org/stable/c/99fcd427178d0f58f5520f8f01df727f8eaeb2c7 https://git.kernel.org/stable/c/99892147f028d711f9d40fefad4f33632593864c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_ctrl_secret Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error. | 2025-12-09 | not yet calculated | CVE-2023-53792 | https://git.kernel.org/stable/c/43d0724d756a13694f612a8a151f835ad6425b93 https://git.kernel.org/stable/c/39b90fc75943406d2bd60fd1ea041aca2559cc5f https://git.kernel.org/stable/c/6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8 https://git.kernel.org/stable/c/99c2dcc8ffc24e210a3aa05c204d92f3ef460b05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf tool x86: Fix perf_env memory leak Found by leak sanitizer: “` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) allocated from: #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439 #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369 #2 0x556701d70589 in perf_env__cpuid util/env.c:465 #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14 #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83 #5 0x556701d8f78b in evsel__config util/evsel.c:1366 #6 0x556701ef5872 in evlist__config util/record.c:108 #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112 #8 0x556701cacd07 in run_test tests/builtin-test.c:236 #9 0x556701cacfac in test_and_print tests/builtin-test.c:265 #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402 #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559 #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323 #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377 #14 0x556701d3be90 in run_argv tools/perf/perf.c:421 #15 0x556701d3c3f8 in main tools/perf/perf.c:537 #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). “` | 2025-12-09 | not yet calculated | CVE-2023-53793 | https://git.kernel.org/stable/c/75d65c1cc439606ada882755fd205d13c2c7907d https://git.kernel.org/stable/c/010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f https://git.kernel.org/stable/c/f3daf02a41e3c11e1a473517a8a6169248fb8e7b https://git.kernel.org/stable/c/99d4850062a84564f36923764bb93935ef2ed108 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don’t collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list. | 2025-12-09 | not yet calculated | CVE-2023-53794 | https://git.kernel.org/stable/c/7e4f5c3f01fb0e51ca438e43262d858daf9a0a76 https://git.kernel.org/stable/c/759ffc164d95a32c09528766d74d9b4fb054e8f4 https://git.kernel.org/stable/c/99f280700b4cc02d5f141b8d15f8e9fad0418f65 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY); if (IS_ERR(obj)) return PTR_ERR(obj); iommufd_ref_to_users(obj); /* See iommufd_ref_to_users() */ if (!iommufd_object_destroy_user(ucmd->ictx, obj)) As part of the sequence to join the two existing primitives together. Allowing the refcount the be elevated without holding the destroy_rwsem violates the assumption that all temporary refcount elevations are protected by destroy_rwsem. Racing IOMMUFD_DESTROY with iommufd_object_destroy_user() will cause spurious failures: WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478 Modules linked in: CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477 Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41 RSP: 0018:ffffc90003067e08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500 R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88 R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0 Call Trace: <TASK> iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline] iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813 iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The solution is to not increment the refcount on the IOMMUFD_DESTROY path at all. Instead use the xa_lock to serialize everything. The refcount check == 1 and xa_erase can be done under a single critical region. This avoids the need for any refcount incrementing. It has the downside that if userspace races destroy with other operations it will get an EBUSY instead of waiting, but this is kind of racing is already dangerous. | 2025-12-09 | not yet calculated | CVE-2023-53795 | https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix information leak in f2fs_move_inline_dirents() When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it doesn’t initialize the entire directory block. Fix this by zero-initializing the block. This bug was introduced by commit 4ec17d688d74 (“f2fs: avoid unneeded initializing when converting inline dentry”), which didn’t consider the security implications of leaking uninitialized memory to disk. This was found by running xfstest generic/435 on a KMSAN-enabled kernel. | 2025-12-09 | not yet calculated | CVE-2023-53796 | https://git.kernel.org/stable/c/4e3b4b170bd43db1d8a93a6bd0ea434b17cc86f7 https://git.kernel.org/stable/c/a6807ef0f3b3d8508d3b07a2e35de8a91820a014 https://git.kernel.org/stable/c/2bef8314fcf94ddc27e22d03f237c0fafd00de33 https://git.kernel.org/stable/c/00b5587326625d0fddb2a5f5a3d4acd950102ace https://git.kernel.org/stable/c/117d4f6687b1f74423b5d398ea95c63b262a8e73 https://git.kernel.org/stable/c/f07a8d61b6ea81bb3cbe0638af40f8824d6147fd https://git.kernel.org/stable/c/eebaecef0095bb8f493c03982da75c6e7bae1056 https://git.kernel.org/stable/c/9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: Use ktime_t rather than int when dealing with timestamps Code which interacts with timestamps needs to use the ktime_t type returned by functions like ktime_get. The int type does not offer enough space to store these values, and attempting to use it is a recipe for problems. In this particular case, overflows would occur when calculating/storing timestamps leading to incorrect values being reported to userspace. In some cases these bad timestamps cause input handling in userspace to appear hung. | 2025-12-09 | not yet calculated | CVE-2023-53797 | https://git.kernel.org/stable/c/99036f1aed7e82773904f5d91a9897bb3e507fd9 https://git.kernel.org/stable/c/9598a647ecc8f300b0540abf9d3b3439859d163b https://git.kernel.org/stable/c/67ce7724637c6adb66f788677cb50b82615de0ac https://git.kernel.org/stable/c/d89750b19681581796dfbe3689bbb5d439b99b24 https://git.kernel.org/stable/c/bdeaa883b765709f231f47f9d6cc76c837a15396 https://git.kernel.org/stable/c/d0198363f9108e4adb2511e607ba91e44779e8b1 https://git.kernel.org/stable/c/9a6c0e28e215535b2938c61ded54603b4e5814c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Fix uninitialized number of lanes It is not possible to set the number of lanes when setting link modes using the legacy IOCTL ethtool interface. Since ‘struct ethtool_link_ksettings’ is not initialized in this path, drivers receive an uninitialized number of lanes in ‘struct ethtool_link_ksettings::lanes’. When this information is later queried from drivers, it results in the ethtool code making decisions based on uninitialized memory, leading to the following KMSAN splat [1]. In practice, this most likely only happens with the tun driver that simply returns whatever it got in the set operation. As far as I can tell, this uninitialized memory is not leaked to user space thanks to the ‘ethtool_ops->cap_link_lanes_supported’ check in linkmodes_prepare_data(). Fix by initializing the structure in the IOCTL path. Did not find any more call sites that pass an uninitialized structure when calling ‘ethtool_ops::set_link_ksettings()’. [1] BUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline] BUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline] ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640 genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 __sys_sendmsg net/socket.c:2584 [inline] __do_sys_sendmsg net/socket.c:2593 [inline] __se_sys_sendmsg net/socket.c:2591 [inline] __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544 __ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441 ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327 ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640 genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 __sys_sendmsg net/socket.c:2584 [inline] __do_sys_sendmsg net/socket.c:2593 [inline] __se_sys_sendmsg net/socket.c:2591 [inline] __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553 ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609 __dev_ethtool net/ethtool/ioctl.c:3024 [inline] dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078 dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524 sock_do_ioctl+0x295/0x540 net/socket.c:1213 sock_i —truncated— | 2025-12-09 | not yet calculated | CVE-2023-53798 | https://git.kernel.org/stable/c/da81af0ef8092ecacd87fac3229c29e2e0ce39fd https://git.kernel.org/stable/c/942a2a0184f7bb1c1ae4bbc556559c86c054b0d2 https://git.kernel.org/stable/c/6456d80045d6de47734b1a3879c91f72af186529 https://git.kernel.org/stable/c/72808c4ab5fd01bf1214195005e15b434bf55cef https://git.kernel.org/stable/c/9ad685dbfe7e856bbf17a7177b64676d324d6ed7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: api – Use work queue in crypto_destroy_instance The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. | 2025-12-09 | not yet calculated | CVE-2023-53799 | https://git.kernel.org/stable/c/625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c https://git.kernel.org/stable/c/048545d9fc6424b0a11e7e8771225bb9afe09422 https://git.kernel.org/stable/c/c4cb61c5f976183c07d16b0071f0c60bc212ef1f https://git.kernel.org/stable/c/867a146690960ac7b89ce40f4ee60dd32eeb1682 https://git.kernel.org/stable/c/c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d https://git.kernel.org/stable/c/9ae4577bc077a7e32c3c7d442c95bc76865c0f17 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix use-after-free when volume resizing failed There is an use-after-free problem reported by KASAN: ================================================================== BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi] Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735 CPU: 2 PID: 4735 Comm: ubirsvol Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 ubi_eba_copy_table+0x11f/0x1c0 [ubi] ubi_resize_volume+0x4f9/0xbc0 [ubi] ubi_cdev_ioctl+0x701/0x1850 [ubi] __x64_sys_ioctl+0x11d/0x170 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> When ubi_change_vtbl_record() returns an error in ubi_resize_volume(), “new_eba_tbl” will be freed on error handing path, but it is holded by “vol->eba_tbl” in ubi_eba_replace_table(). It means that the liftcycle of “vol->eba_tbl” and “vol” are different, so when resizing volume in next time, it causing an use-after-free fault. Fix it by not freeing “new_eba_tbl” after it replaced in ubi_eba_replace_table(), while will be freed in next volume resizing. | 2025-12-09 | not yet calculated | CVE-2023-53800 | https://git.kernel.org/stable/c/bf9875aa7f7d624a8c084425b14bf7e5907ebc30 https://git.kernel.org/stable/c/bf795ebbb9995e2fe7945de71177f01c2f1215dc https://git.kernel.org/stable/c/9c8be1f165baee53b5a36ea0b3c9281d403a1d0b https://git.kernel.org/stable/c/35f8d4064e54c18424db2997059d4c0b1d13d093 https://git.kernel.org/stable/c/53818746e549e61841428892a8d94344494be797 https://git.kernel.org/stable/c/b0c951742348d216f094d16ed4f70ae73db881c0 https://git.kernel.org/stable/c/3d6378f7056ac7350338f941001162a8f660853c https://git.kernel.org/stable/c/9af31d6ec1a4be4caab2550096c6bd2ba8fba472 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/sprd: Release dma buffer to avoid memory leak When attaching to a domain, the driver would alloc a DMA buffer which is used to store address mapping table, and it need to be released when the IOMMU domain is freed. | 2025-12-09 | not yet calculated | CVE-2023-53801 | https://git.kernel.org/stable/c/92c089a931fd3939cd32318cf4f54e69e8f51a19 https://git.kernel.org/stable/c/8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9 https://git.kernel.org/stable/c/d0a917fd5e3b3ed9d9306b4260ba684b982da9f3 https://git.kernel.org/stable/c/9afea57384d4ae7b2034593eac7fa76c7122762a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its management to another callback function. However, the skb is not freed in case there is no another callback function, and Syzkaller was able to cause a memory leak. Also minor comment fix. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-09 | not yet calculated | CVE-2023-53802 | https://git.kernel.org/stable/c/b11f95f65cc52ee3a756e6f6a88df37a203e25bd https://git.kernel.org/stable/c/68171c006c8645a3e0293a6c3e6037c6538ac1c5 https://git.kernel.org/stable/c/564bc2222bf50eb6cdee715a5431bf4dc9f923c1 https://git.kernel.org/stable/c/ec246dfe006b2a8f36353f7489e4f525114db9a5 https://git.kernel.org/stable/c/c0c0614f143b568cd0e9525d53cf12e5dcd11987 https://git.kernel.org/stable/c/5a84e51f72580fc70066b03f3dac38421e702a0b https://git.kernel.org/stable/c/bbfababb4f899fe1556eac195f9774b6fe675fb6 https://git.kernel.org/stable/c/9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() A fix for: BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271 Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we expect the size to be sanitized before first access to addl_desc_ptr[1]. Make sure we don’t walk beyond end of page. | 2025-12-09 | not yet calculated | CVE-2023-53803 | https://git.kernel.org/stable/c/da1a955c48a16e16e925d6544793914e52a6fa51 https://git.kernel.org/stable/c/9e5c7d52085b8c84bc82a261580f0eb170039325 https://git.kernel.org/stable/c/467afb1dd630d8c6d172bd6cacc125199b5f4f2d https://git.kernel.org/stable/c/e4dd25da784b2e07dbfbf04509afa4c5a1375227 https://git.kernel.org/stable/c/2b28a7d261cb309912596d6a2d383ca370483527 https://git.kernel.org/stable/c/0dfe68394cbe1d4fe579fb325ecc813c50528c5a https://git.kernel.org/stable/c/799e8dd2022d2e13f0c5c1906b40ceca07a23349 https://git.kernel.org/stable/c/9b4f5028e493cb353a5c8f5c45073eeea0303abd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may cause use-after-free read if inodes are left in “garbage_list” and released by nilfs_dispose_list() at the end of nilfs_detach_log_writer(). Fix this issue by modifying nilfs_evict_inode() to only clear inode without additional metadata changes that use nilfs_root if the file system is degraded to read-only or the writer is detached. | 2025-12-09 | not yet calculated | CVE-2023-53804 | https://git.kernel.org/stable/c/f31e18131ee2ce80a4da5c808221d25b1ae9ad6d https://git.kernel.org/stable/c/2a782ea8ebd712a458466e3103e2881b4f886cb5 https://git.kernel.org/stable/c/116d53f09ff52e6f98e3fe1f85d8898d6ba26c68 https://git.kernel.org/stable/c/6b4205ea97901f822004e6c8d59484ccfda03faa https://git.kernel.org/stable/c/b8427b8522d9ede53015ba45a9978ba68d1162f5 https://git.kernel.org/stable/c/acc2a40e428f12780004e1e9fce4722d88f909fd https://git.kernel.org/stable/c/fb8e8d58f116d069e5939e1f786ac84e7fa4533e https://git.kernel.org/stable/c/9b5a04ac3ad9898c4745cba46ea26de74ba56a8e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: populate subvp cmd info only for the top pipe [Why] System restart observed while changing the display resolution to 8k with extended mode. Sytem restart was caused by a page fault. [How] When the driver populates subvp info it did it for both the pipes using vblank which caused an outof bounds array access causing the page fault. added checks to allow the top pipe only to fix this issue. | 2025-12-09 | not yet calculated | CVE-2023-53806 | https://git.kernel.org/stable/c/92e6c79acad4b96efeff261d27bdbd8089a7dd24 https://git.kernel.org/stable/c/375d192eb1f1d9229a6d994da7ba31f3582b106b https://git.kernel.org/stable/c/9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Smatch detected this potential error pointer dereference clk_wzrd_register_divider(). If devm_clk_hw_register() fails then it sets “hw” to an error pointer and then dereferences it on the next line. Return the error directly instead. | 2025-12-09 | not yet calculated | CVE-2023-53807 | https://git.kernel.org/stable/c/2f276dd9c0f835242836d9f6823035158ce2585c https://git.kernel.org/stable/c/b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7 https://git.kernel.org/stable/c/25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5 https://git.kernel.org/stable/c/f078a65ebf930f4305e3c415a8338d22391642c9 https://git.kernel.org/stable/c/9c632a6396505a019ea6d12b5ab45e659a542a93 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() Always free the zeroed page on return from ‘mwifiex_histogram_read()’. | 2025-12-09 | not yet calculated | CVE-2023-53808 | https://git.kernel.org/stable/c/d3b53ac2b60283f84bcc650aaa8af98500f37b56 https://git.kernel.org/stable/c/7be90670b967d11f53a9d45bc88fa8ac9daf9709 https://git.kernel.org/stable/c/8f717752f94efae84853e17f2589665c330a0cf5 https://git.kernel.org/stable/c/0c4240d23db525208fd40dd6371ca3254fa1b93d https://git.kernel.org/stable/c/308eb3a609ac39ca9c3e466b35e8825007c8d826 https://git.kernel.org/stable/c/84081b4baafb49211193c6a056d5aee9c0e6ab8e https://git.kernel.org/stable/c/5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c https://git.kernel.org/stable/c/f76e1da838377777557d78dfeb6d8c532f7118be https://git.kernel.org/stable/c/9c8fd72a5c2a031cbc680a2990107ecd958ffcdb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register(). This situation is reproduced by the following program: int main(void) { int sock; struct sockaddr_pppol2tp addr; sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (sock < 0) { perror(“socket”); return 1; } addr.sa_family = AF_PPPOX; addr.sa_protocol = PX_PROTO_OL2TP; addr.pppol2tp.pid = 0; addr.pppol2tp.fd = sock; addr.pppol2tp.addr.sin_family = PF_INET; addr.pppol2tp.addr.sin_port = htons(0); addr.pppol2tp.addr.sin_addr.s_addr = inet_addr(“192.168.0.1”); addr.pppol2tp.s_tunnel = 1; addr.pppol2tp.s_session = 0; addr.pppol2tp.d_tunnel = 0; addr.pppol2tp.d_session = 0; if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) { perror(“connect”); return 1; } return 0; } This program causes the following lockdep warning: ============================================ WARNING: possible recursive locking detected 6.2.0-rc5-00205-gc96618275234 #56 Not tainted ——————————————– repro/8607 is trying to acquire lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0 but task is already holding lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(sk_lock-AF_PPPOX); lock(sk_lock-AF_PPPOX); *** DEADLOCK *** May be due to missing lock nesting notation 1 lock held by repro/8607: #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 stack backtrace: CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x100/0x178 __lock_acquire.cold+0x119/0x3b9 ? lockdep_hardirqs_on_prepare+0x410/0x410 lock_acquire+0x1e0/0x610 ? l2tp_tunnel_register+0x2b7/0x11c0 ? lock_downgrade+0x710/0x710 ? __fget_files+0x283/0x3e0 lock_sock_nested+0x3a/0xf0 ? l2tp_tunnel_register+0x2b7/0x11c0 l2tp_tunnel_register+0x2b7/0x11c0 ? sprintf+0xc4/0x100 ? l2tp_tunnel_del_work+0x6b0/0x6b0 ? debug_object_deactivate+0x320/0x320 ? lockdep_init_map_type+0x16d/0x7a0 ? lockdep_init_map_type+0x16d/0x7a0 ? l2tp_tunnel_create+0x2bf/0x4b0 ? l2tp_tunnel_create+0x3c6/0x4b0 pppol2tp_connect+0x14e1/0x1a30 ? pppol2tp_put_sk+0xd0/0xd0 ? aa_sk_perm+0x2b7/0xa80 ? aa_af_perm+0x260/0x260 ? bpf_lsm_socket_connect+0x9/0x10 ? pppol2tp_put_sk+0xd0/0xd0 __sys_connect_file+0x14f/0x190 __sys_connect+0x133/0x160 ? __sys_connect_file+0x190/0x190 ? lockdep_hardirqs_on+0x7d/0x100 ? ktime_get_coarse_real_ts64+0x1b7/0x200 ? ktime_get_coarse_real_ts64+0x147/0x200 ? __audit_syscall_entry+0x396/0x500 __x64_sys_connect+0x72/0xb0 do_syscall_64+0x38/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd This patch fixes the issue by getting/creating the tunnel before locking the pppol2tp socket. | 2025-12-09 | not yet calculated | CVE-2023-53809 | https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9 https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244 https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70 https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314 https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: release crypto keyslot before reporting I/O complete Once all I/O using a blk_crypto_key has completed, filesystems can call blk_crypto_evict_key(). However, the block layer currently doesn’t call blk_crypto_put_keyslot() until the request is being freed, which happens after upper layers have been told (via bio_endio()) the I/O has completed. This causes a race condition where blk_crypto_evict_key() can see ‘slot_refs != 0’ without there being an actual bug. This makes __blk_crypto_evict_key() hit the ‘WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)’ and return without doing anything, eventually causing a use-after-free in blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only been seen when per-file keys are being used with fscrypt.) There are two options to fix this: either release the keyslot before bio_endio() is called on the request’s last bio, or make __blk_crypto_evict_key() ignore slot_refs. Let’s go with the first solution, since it preserves the ability to report bugs (via WARN_ON_ONCE) where a key is evicted while still in-use. | 2025-12-09 | not yet calculated | CVE-2023-53810 | https://git.kernel.org/stable/c/874bdf43b4a7dc5463c31508f62b3e42eb237b08 https://git.kernel.org/stable/c/d206f79d9cd658665b37ce8134c6ec849ac7af0c https://git.kernel.org/stable/c/7d206ec7a04e8545828191b6ea8b49d3ea61391f https://git.kernel.org/stable/c/b278570e2c59d538216f8b656e97680188a8fba4 https://git.kernel.org/stable/c/92d5d233b9ff531cf9cc36ab4251779e07adb633 https://git.kernel.org/stable/c/9cd1e566676bbcb8a126acd921e4e194e6339603 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Cap MSIX used to online CPUs + 1 The irdma driver can use a maximum number of msix vectors equal to num_online_cpus() + 1 and the kernel warning stack below is shown if that number is exceeded. The kernel throws a warning as the driver tries to update the affinity hint with a CPU mask greater than the max CPU IDs. Fix this by capping the MSIX vectors to num_online_cpus() + 1. WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma] RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma] Call Trace: irdma_rt_init_hw+0xa62/0x1290 [irdma] ? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma] ? __is_kernel_percpu_address+0x63/0x310 ? rcu_read_lock_held_common+0xe/0xb0 ? irdma_lan_unregister_qset+0x280/0x280 [irdma] ? irdma_request_reset+0x80/0x80 [irdma] ? ice_get_qos_params+0x84/0x390 [ice] irdma_probe+0xa40/0xfc0 [irdma] ? rcu_read_lock_bh_held+0xd0/0xd0 ? irdma_remove+0x140/0x140 [irdma] ? rcu_read_lock_sched_held+0x62/0xe0 ? down_write+0x187/0x3d0 ? auxiliary_match_id+0xf0/0x1a0 ? irdma_remove+0x140/0x140 [irdma] auxiliary_bus_probe+0xa6/0x100 __driver_probe_device+0x4a4/0xd50 ? __device_attach_driver+0x2c0/0x2c0 driver_probe_device+0x4a/0x110 __driver_attach+0x1aa/0x350 bus_for_each_dev+0x11d/0x1b0 ? subsys_dev_iter_init+0xe0/0xe0 bus_add_driver+0x3b1/0x610 driver_register+0x18e/0x410 ? 0xffffffffc0b88000 irdma_init_module+0x50/0xaa [irdma] do_one_initcall+0x103/0x5f0 ? perf_trace_initcall_level+0x420/0x420 ? do_init_module+0x4e/0x700 ? __kasan_kmalloc+0x7d/0xa0 ? kmem_cache_alloc_trace+0x188/0x2b0 ? kasan_unpoison+0x21/0x50 do_init_module+0x1d1/0x700 load_module+0x3867/0x5260 ? layout_and_allocate+0x3990/0x3990 ? rcu_read_lock_held_common+0xe/0xb0 ? rcu_read_lock_sched_held+0x62/0xe0 ? rcu_read_lock_bh_held+0xd0/0xd0 ? __vmalloc_node_range+0x46b/0x890 ? lock_release+0x5c8/0xba0 ? alloc_vm_area+0x120/0x120 ? selinux_kernel_module_from_file+0x2a5/0x300 ? __inode_security_revalidate+0xf0/0xf0 ? __do_sys_init_module+0x1db/0x260 __do_sys_init_module+0x1db/0x260 ? load_module+0x5260/0x5260 ? do_syscall_64+0x22/0x450 do_syscall_64+0xa5/0x450 entry_SYSCALL_64_after_hwframe+0x66/0xdb | 2025-12-09 | not yet calculated | CVE-2023-53811 | https://git.kernel.org/stable/c/87674a359ad173a3b8cd484e92e4f1901666da4c https://git.kernel.org/stable/c/b3bd44bf20cb3a6a47aa4373e1817147efb4be04 https://git.kernel.org/stable/c/209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f https://git.kernel.org/stable/c/9cd9842c46996ef62173c36619c746f57416bcb0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix decoder disable pm crash Can’t call pm_runtime_disable when the architecture support sub device for ‘dev->pm.dev’ is NUll, or will get below crash log. [ 10.771551] pc : _raw_spin_lock_irq+0x4c/0xa0 [ 10.771556] lr : __pm_runtime_disable+0x30/0x130 [ 10.771558] sp : ffffffc01e4cb800 [ 10.771559] x29: ffffffc01e4cb800 x28: ffffffdf082108a8 [ 10.771563] x27: ffffffc01e4cbd70 x26: ffffff8605df55f0 [ 10.771567] x25: 0000000000000002 x24: 0000000000000002 [ 10.771570] x23: ffffff85c0dc9c00 x22: 0000000000000001 [ 10.771573] x21: 0000000000000001 x20: 0000000000000000 [ 10.771577] x19: 00000000000000f4 x18: ffffffdf2e9fbe18 [ 10.771580] x17: 0000000000000000 x16: ffffffdf2df13c74 [ 10.771583] x15: 00000000000002ea x14: 0000000000000058 [ 10.771587] x13: ffffffdf2de1b62c x12: ffffffdf2e9e30e4 [ 10.771590] x11: 0000000000000000 x10: 0000000000000001 [ 10.771593] x9 : 0000000000000000 x8 : 00000000000000f4 [ 10.771596] x7 : 6bff6264632c6264 x6 : 0000000000008000 [ 10.771600] x5 : 0080000000000000 x4 : 0000000000000001 [ 10.771603] x3 : 0000000000000008 x2 : 0000000000000001 [ 10.771608] x1 : 0000000000000000 x0 : 00000000000000f4 [ 10.771613] Call trace: [ 10.771617] _raw_spin_lock_irq+0x4c/0xa0 [ 10.771620] __pm_runtime_disable+0x30/0x130 [ 10.771657] mtk_vcodec_probe+0x69c/0x728 [mtk_vcodec_dec 800cc929d6631f79f9b273254c8db94d0d3500dc] [ 10.771662] platform_drv_probe+0x9c/0xbc [ 10.771665] really_probe+0x13c/0x3a0 [ 10.771668] driver_probe_device+0x84/0xc0 [ 10.771671] device_driver_attach+0x54/0x78 | 2025-12-09 | not yet calculated | CVE-2023-53812 | https://git.kernel.org/stable/c/c692a44bc5146eb487f40798a1ea8dd57fd2607d https://git.kernel.org/stable/c/03e9773388a27242e6139f3d5b5fd00112adb5c3 https://git.kernel.org/stable/c/34fe290090ecfcf405cad9d0e0ddc8b8246ffaa2 https://git.kernel.org/stable/c/9d2f13fb47dcab6d094f34ecfd6a879a409722b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix rbtree traversal bug in ext4_mb_use_preallocated During allocations, while looking for preallocations(PA) in the per inode rbtree, we can’t do a direct traversal of the tree because ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted and that can cause direct traversal to skip some entries. This was leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy our request and ultimately tried to create a new PA that would overlap with the missed one. To makes sure we handle that case while still keeping the performance of the rbtree, we make use of the fact that the only pa that could possibly overlap the original goal start is the one that satisfies the below conditions: 1. It must have it’s logical start immediately to the left of (ie less than) original logical start. 2. It must not be deleted To find this pa we use the following traversal method: 1. Descend into the rbtree normally to find the immediate neighboring PA. Here we keep descending irrespective of if the PA is deleted or if it overlaps with our request etc. The goal is to find an immediately adjacent PA. 2. If the found PA is on right of original goal, use rb_prev() to find the left adjacent PA. 3. Check if this PA is deleted and keep moving left with rb_prev() until a non deleted PA is found. 4. This is the PA we are looking for. Now we can check if it can satisfy the original request and proceed accordingly. This approach also takes care of having deleted PAs in the tree. (While we are at it, also fix a possible overflow bug in calculating the end of a PA) [1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/ | 2025-12-09 | not yet calculated | CVE-2023-53813 | https://git.kernel.org/stable/c/339fee69a1daa71d6f97e47a867e2c32419a2406 https://git.kernel.org/stable/c/9d3de7ee192a6a253f475197fe4d2e2af10a731f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix dropping valid root bus resources with .end = zero On r8a7791/koelsch: kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xc3a34e00 (size 64): comm “swapper/0”, pid 1, jiffies 4294937460 (age 199.080s) hex dump (first 32 bytes): b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]…]………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<fe3aa979>] __kmalloc+0xf0/0x140 [<34bd6bc0>] resource_list_create_entry+0x18/0x38 [<767046bc>] pci_add_resource_offset+0x20/0x68 [<b3f3edf2>] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390 When coalescing two resources for a contiguous aperture, the second resource is enlarged to cover the full contiguous range, while the first resource is marked invalid. This invalidation is done by clearing the flags, start, and end members. When adding the initial resources to the bus later, invalid resources are skipped. Unfortunately, the check for an invalid resource considers only the end member, causing false positives. E.g. on r8a7791/koelsch, root bus resource 0 (“bus 00”) is skipped, and no longer registered with pci_bus_insert_busn_res() (causing the memory leak), nor printed: pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges: pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000 pci-rcar-gen2 ee090000.pci: PCI: revision 11 pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00 -pci_bus 0000:00: root bus resource [bus 00] pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff] Fix this by only skipping resources where all of the flags, start, and end members are zero. | 2025-12-09 | not yet calculated | CVE-2023-53814 | https://git.kernel.org/stable/c/e4af080f3ef6a65b0d702988c2471a47c9ae2cc0 https://git.kernel.org/stable/c/fe6a1fbe83f5b23d7db93596b793561230f06b40 https://git.kernel.org/stable/c/7e6f2714d93cdf977b6124a80af2cf0e14e2d407 https://git.kernel.org/stable/c/9d8ba74a181b1c81def21168795ed96cbe6f05ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: posix-timers: Prevent RT livelock in itimer_delete() itimer_delete() has a retry loop when the timer is concurrently expired. On non-RT kernels this just spin-waits until the timer callback has completed, except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK enabled. In that case and on RT kernels the existing task could live lock when preempting the task which does the timer delivery. Replace spin_unlock() with an invocation of timer_wait_running() to handle it the same way as the other retry loops in the posix timer code. | 2025-12-09 | not yet calculated | CVE-2023-53815 | https://git.kernel.org/stable/c/f1be1ed32daa053484222f7f9beb2b16c624dffd https://git.kernel.org/stable/c/0670c4c567b27bd8f999a943028f4fe60d1a1106 https://git.kernel.org/stable/c/e7aff15ba29ba4b3052786b1636fa5c4aa39e179 https://git.kernel.org/stable/c/f9bd298e3e4d3fd6e19f017789a42d0f332cd555 https://git.kernel.org/stable/c/c1968bb8a28625cc95d2ad3ca872ab98c9c36d59 https://git.kernel.org/stable/c/9d9e522010eb5685d8b53e8a24320653d9d4cbbf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix potential kgd_mem UAFs kgd_mem pointers returned by kfd_process_device_translate_handle are only guaranteed to be valid while p->mutex is held. As soon as the mutex is unlocked, another thread can free the BO. | 2025-12-09 | not yet calculated | CVE-2023-53816 | https://git.kernel.org/stable/c/5045360f3bb62ccd4f87202e33489f71f8bbc3fc https://git.kernel.org/stable/c/5ca14fb5552ac13a2402d306c0bd2379a71610ff https://git.kernel.org/stable/c/9da050b0d9e04439d225a2ec3044af70cdfb3933 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi – avoid null pointer deref in mpi_cmp_ui() During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman group and passing a correctly sized, but zeroed Diffie Hellamn value. mpi_cmp_ui() was detecting this if the second parameter was 0, but 1 is passed from dh_is_pubkey_valid(). This causes the null pointer u->d to be dereferenced towards the end of mpi_cmp_ui() | 2025-12-09 | not yet calculated | CVE-2023-53817 | https://git.kernel.org/stable/c/fde791e8a96a64ea7b0ad2440e43586447a209c6 https://git.kernel.org/stable/c/ae63e84ffda74267bf7277c38415ba38389229a0 https://git.kernel.org/stable/c/61f5453e9706e99713825594e0c8f9031485fb5f https://git.kernel.org/stable/c/0fc7147c694394f8a8cbc19570c6bc918cac0906 https://git.kernel.org/stable/c/67589d247909043e94d2dd5fb590958e0f99d58d https://git.kernel.org/stable/c/d3ad023a39f1127dcfd331c562673355dc078650 https://git.kernel.org/stable/c/12ac013ad7ff0df066451e825801d805095b3776 https://git.kernel.org/stable/c/9e47a758b70167c9301d2b44d2569f86c7796f2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ARM: zynq: Fix refcount leak in zynq_early_slcr_init of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on error path. Add missing of_node_put() to avoid refcount leak. | 2025-12-09 | not yet calculated | CVE-2023-53818 | https://git.kernel.org/stable/c/f00bc6727adf840eb208700ea27cda4f3742629d https://git.kernel.org/stable/c/351b7e93d02b50b2faae2d4bda28e16a8389cbb7 https://git.kernel.org/stable/c/ede0334bf4df360f4f9446075cffbbb3bc54d0b6 https://git.kernel.org/stable/c/227f8c1c5c4b3d131b66e57e58d38054f441b915 https://git.kernel.org/stable/c/1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b https://git.kernel.org/stable/c/e43a06c73be4b93d308f0df809ee0023b7c37b54 https://git.kernel.org/stable/c/4c22ee805202087c2553c9175968e9e922d75bc1 https://git.kernel.org/stable/c/9eedb910a3be0005b88c696a8552c0d4c9937cd4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows. v2: keep the validations in amdgpu_vm_bo_map v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map rather than to amdgpu_gem_va_ioctl | 2025-12-09 | not yet calculated | CVE-2023-53819 | https://git.kernel.org/stable/c/82aace80cfaab778245bd2f9e31b67953725e4d0 https://git.kernel.org/stable/c/d83c337e654d58d3edd15a2ae76e87dc601c07d9 https://git.kernel.org/stable/c/968e27fd037ec4732068820a9b9836eccc0e0a12 https://git.kernel.org/stable/c/4300a47e4017c9febb60ffa7d39723eeaed00f2b https://git.kernel.org/stable/c/b10db1d2137415e5e7f9706d96cfe77539c499d4 https://git.kernel.org/stable/c/f015aadc0d973047f49526a127e900c488d4e425 https://git.kernel.org/stable/c/bc6dbf34dc4fb639522f3e8e66ef05997c0441ee https://git.kernel.org/stable/c/9f0bcf49e9895cb005d78b33a5eebfa11711b425 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: loop: loop_set_status_from_info() check before assignment In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, because if an overflow error occurs, the original correct value will be changed to the wrong value, and it will not be changed back. More, the original patch did not solve the problem, the value was set and ioctl returned an error, but the subsequent io used the value in the loop driver, which still caused an alarm: loop_handle_cmd do_req_filebacked loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset; lo_rw_aio cmd->iocb.ki_pos = pos | 2025-12-09 | not yet calculated | CVE-2023-53820 | https://git.kernel.org/stable/c/832580af82ace363205039a8e7c4ef04552ccc1a https://git.kernel.org/stable/c/861021710bba9dfa0749a3c209a6c1773208b1f1 https://git.kernel.org/stable/c/c79a924ed6afac1708dfd370ba66bcf6a852ced6 https://git.kernel.org/stable/c/3e7d0968203d668af6036b9f9199c7b62c8a3581 https://git.kernel.org/stable/c/4be26d553a3f1d4f54f25353d1496c562002126d https://git.kernel.org/stable/c/258809bf22bf71d53247856f374f2b1d055f2fd4 https://git.kernel.org/stable/c/9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. The stack information is as follows: BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrm_decode_session+0x54/0xb0 vti6_tnl_xmit+0x3e6/0x1ee0 dev_hard_start_xmit+0x187/0x700 sch_direct_xmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __dev_queue_xmit+0x2215/0x3b10 neigh_connected_output+0x3c2/0x550 ip6_finish_output2+0x55a/0x1550 ip6_finish_output+0x6b9/0x1270 ip6_output+0x1f1/0x540 ndisc_send_skb+0xa63/0x1890 ndisc_send_rs+0x132/0x6f0 addrconf_rs_timer+0x3f1/0x870 call_timer_fn+0x1a0/0x580 expire_timers+0x29b/0x4b0 run_timer_softirq+0x326/0x910 __do_softirq+0x1d4/0x905 irq_exit_rcu+0xb7/0x120 sysvec_apic_timer_interrupt+0x97/0xc0 </IRQ> Allocated by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x7f/0x90 kmem_cache_alloc_node+0x1cd/0x410 kmalloc_reserve+0x165/0x270 __alloc_skb+0x129/0x330 netlink_sendmsg+0x9b1/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x40 ____kasan_slab_free+0x160/0x1c0 slab_free_freelist_hook+0x11b/0x220 kmem_cache_free+0xf0/0x490 skb_free_head+0x17f/0x1b0 skb_release_data+0x59c/0x850 consume_skb+0xd2/0x170 netlink_unicast+0x54f/0x7f0 netlink_sendmsg+0x926/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88802e08ed00 which belongs to the cache skbuff_small_head of size 640 The buggy address is located 194 bytes inside of freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80) As commit f855691975bb (“xfrm6: Fix the nexthdr offset in _decode_session6.”) showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. | 2025-12-09 | not yet calculated | CVE-2023-53821 | https://git.kernel.org/stable/c/0f0ab8d52ee0062b28367dea23c29e254a26d7db https://git.kernel.org/stable/c/fa6c6c04f6c9b21b315023f487e5a07ae7fcf647 https://git.kernel.org/stable/c/eb47e612e59c358c3968a92f90dd36c78c9a2106 https://git.kernel.org/stable/c/ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36 https://git.kernel.org/stable/c/a1639a82ce14af76b6419778d343ccbff86ee626 https://git.kernel.org/stable/c/55ad2309205cc00c585344374c7472420e1b2c12 https://git.kernel.org/stable/c/c070688bfbe7759e61e697e421b2a331b0dd74bc https://git.kernel.org/stable/c/9fd41f1ba638938c9a1195d09bc6fa3be2712f25 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp. When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk in ath11k_dp_rx_h_sort_frags, skb null leads to exception. To address this, before processing received fragments we check dp_setup_done flag is set to ensure that peer has completed its dp peer setup for fragment queue, else ignore processing the fragments. Call trace: ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] ath11k_dp_service_srng+0x70/0x370 [ath11k] 0xffffffc009693a04 __napi_poll+0x30/0xa4 net_rx_action+0x118/0x270 __do_softirq+0x10c/0x244 irq_exit+0x64/0xb4 __handle_domain_irq+0x88/0xac gic_handle_irq+0x74/0xbc el1_irq+0xf0/0x1c0 arch_cpu_idle+0x10/0x18 do_idle+0x104/0x248 cpu_startup_entry+0x20/0x64 rest_init+0xd0/0xdc arch_call_rest_init+0xc/0x14 start_kernel+0x480/0x4b8 Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 | 2025-12-09 | not yet calculated | CVE-2023-53822 | https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec https://git.kernel.org/stable/c/41efc47f5bc53e63461579e206adc17c4452ab6e https://git.kernel.org/stable/c/a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e (“block: disable the elevator int del_gendisk”) move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems: 1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it’s not safe to write ‘q->rq_qos’ concurrently. 2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy(). 3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked. This patch add a new disk level mutex ‘rq_qos_mutex’: 1) The lock will protect rq_qos_exit() directly. 2) For wbt that doesn’t relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can’t be destructed until rq_qos_exit(), so it’s safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal. 3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock. | 2025-12-09 | not yet calculated | CVE-2023-53823 | https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate lockless accesses to nlk->max_recvmsg_len syzbot reported a data-race in data-race in netlink_recvmsg() [1] Indeed, netlink_recvmsg() can be run concurrently, and netlink_dump() also needs protection. [1] BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0: netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg net/socket.c:1038 [inline] __sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194 __do_sys_recvfrom net/socket.c:2212 [inline] __se_sys_recvfrom net/socket.c:2208 [inline] __x64_sys_recvfrom+0x78/0x90 net/socket.c:2208 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1: netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg net/socket.c:1038 [inline] ____sys_recvmsg+0x156/0x310 net/socket.c:2720 ___sys_recvmsg net/socket.c:2762 [inline] do_recvmmsg+0x2e5/0x710 net/socket.c:2856 __sys_recvmmsg net/socket.c:2935 [inline] __do_sys_recvmmsg net/socket.c:2958 [inline] __se_sys_recvmmsg net/socket.c:2951 [inline] __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x0000000000000000 -> 0x0000000000001000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 | 2025-12-09 | not yet calculated | CVE-2023-53824 | https://git.kernel.org/stable/c/05c9e3fc93b02d18c3ab258d43350a6d44b40bbd https://git.kernel.org/stable/c/7cff4103be7c402ecc3e7bf8f95a64089e3c91b8 https://git.kernel.org/stable/c/e3bcf2a77060bea4d8d09cb09d92c7056f07df5a https://git.kernel.org/stable/c/fc4ba13013ddaea8b11b88fd52b35449e2d9cf85 https://git.kernel.org/stable/c/a1865f2e7d10dde00d35a2122b38d2e469ae67ed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 (“kcm: Fix memory leak in error path of kcm_sendmsg()”) suppressed it by updating kcm_tx_msg(head)->last_skb if partial data is copied so that the following sendmsg() will resume from the skb. However, we cannot know how many bytes were copied when we get the error. Thus, we could mess up the MSG_MORE queue. When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we do so for UDP by udp_flush_pending_frames(). Even without this change, when the error occurred, the following sendmsg() resumed from a wrong skb and the queue was messed up. However, we have yet to get such a report, and only syzkaller stumbled on it. So, this can be changed safely. Note this does not change SOCK_SEQPACKET behaviour. | 2025-12-09 | not yet calculated | CVE-2023-53825 | https://git.kernel.org/stable/c/21b467735b0888a8daa048f83d3b9b50fdab71ce https://git.kernel.org/stable/c/d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b https://git.kernel.org/stable/c/1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b https://git.kernel.org/stable/c/2e18493c421428a936946c452461b8e979088f17 https://git.kernel.org/stable/c/55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc https://git.kernel.org/stable/c/e5b28ce127a690f3acc49a6a342e6c9442c9edd6 https://git.kernel.org/stable/c/992b2ac783aad360b98ed9d4686e86176a20f6f1 https://git.kernel.org/stable/c/a22730b1b4bf437c6bbfdeff5feddf54be4aeada |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show(), for example: __erase_worker eraseblk_count_seq_show wl = ubi->lookuptbl[*block_number] if (wl) wl_entry_destroy ubi->lookuptbl[e->pnum] = NULL kmem_cache_free(ubi_wl_entry_slab, e) erase_count = wl->ec // UAF! Wear-leveling entry updating/accessing in ubi->lookuptbl should be protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize wl entry accessing between wl_entry_destroy() and eraseblk_count_seq_show(). Fetch a reproducer in [Link]. | 2025-12-09 | not yet calculated | CVE-2023-53826 | https://git.kernel.org/stable/c/3f9b63dfce44a7c3c095dd93d910408e07ab1845 https://git.kernel.org/stable/c/84250da1c63cb7d421a3b4812b5c2ce2e47d31a1 https://git.kernel.org/stable/c/1cb14c06d6035539ef4215c4ba0871aea71d7c38 https://git.kernel.org/stable/c/9d448dd6bcb61a508204b57ea1f454ba9bac2f24 https://git.kernel.org/stable/c/79548ccdd992707879b4b683b7251c58ddf26f12 https://git.kernel.org/stable/c/84253f3c2dad6be10d30c92626c763d9a9f512ad https://git.kernel.org/stable/c/a100de2974d208cfca032179b02ed4d1a0a7f143 https://git.kernel.org/stable/c/a240bc5c43130c6aa50831d7caaa02a1d84e1bce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 (“Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put”), just use l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. | 2025-12-09 | not yet calculated | CVE-2023-53827 | https://git.kernel.org/stable/c/f2d38e77aa5f3effc143e7dd24da8acf02925958 https://git.kernel.org/stable/c/1351551aa9058e07a20a27a158270cf84fcde621 https://git.kernel.org/stable/c/c02421992505c95c7f3c9ad59ee35e22eac60988 https://git.kernel.org/stable/c/d9ba36c22a7bb09d6bac4cc2f243eff05da53f43 https://git.kernel.org/stable/c/ac6725a634f7e8c0330610a8527f20c730b61115 https://git.kernel.org/stable/c/348d446762e7c70778df8bafbdf3fa0df2123f58 https://git.kernel.org/stable/c/d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284 https://git.kernel.org/stable/c/a2a9339e1c9deb7e1e079e12e27a0265aea8421a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() KSAN reports use-after-free in hci_add_adv_monitor(). While adding an adv monitor, hci_add_adv_monitor() calls -> msft_add_monitor_pattern() calls -> msft_add_monitor_sync() calls -> msft_le_monitor_advertisement_cb() calls in an error case -> hci_free_adv_monitor() which frees the *moniter. This is referenced by bt_dev_dbg() in hci_add_adv_monitor(). Fix the bt_dev_dbg() by using handle instead of monitor->handle. | 2025-12-09 | not yet calculated | CVE-2023-53828 | https://git.kernel.org/stable/c/81d8e9f59df63b8358751c1ffed9f1cf5c796909 https://git.kernel.org/stable/c/aafda69d4807f5edf3558c9534be9b911774e63a https://git.kernel.org/stable/c/8d66f7ced51cb924bc90278d6a0a26a52877271a https://git.kernel.org/stable/c/a2bcd2b63271a93a695fabbfbf459c603d956d48 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: flush inode if atomic file is aborted Let’s flush the inode being aborted atomic operation to avoid stale dirty inode during eviction in this call stack: f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs] f2fs_abort_atomic_write+0xc4/0xf0 [f2fs] f2fs_evict_inode+0x3f/0x690 [f2fs] ? sugov_start+0x140/0x140 evict+0xc3/0x1c0 evict_inodes+0x17b/0x210 generic_shutdown_super+0x32/0x120 kill_block_super+0x21/0x50 deactivate_locked_super+0x31/0x90 cleanup_mnt+0x100/0x160 task_work_run+0x59/0x90 do_exit+0x33b/0xa50 do_group_exit+0x2d/0x80 __x64_sys_exit_group+0x14/0x20 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd This triggers f2fs_bug_on() in f2fs_evict_inode: f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); This fixes the syzbot report: loop0: detected capacity change from 0 to 131072 F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): Found nat_bits in checkpoint F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 ————[ cut here ]———— kernel BUG at fs/f2fs/inode.c:869! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869 Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007 RBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000 R13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0 Call Trace: <TASK> evict+0x2ed/0x6b0 fs/inode.c:665 dispose_list+0x117/0x1e0 fs/inode.c:698 evict_inodes+0x345/0x440 fs/inode.c:748 generic_shutdown_super+0xaf/0x480 fs/super.c:478 kill_block_super+0x64/0xb0 fs/super.c:1417 kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704 deactivate_locked_super+0x98/0x160 fs/super.c:330 deactivate_super+0xb1/0xd0 fs/super.c:361 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa9a/0x29a0 kernel/exit.c:874 do_group_exit+0xd4/0x2a0 kernel/exit.c:1024 __do_sys_exit_group kernel/exit.c:1035 [inline] __se_sys_exit_group kernel/exit.c:1033 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f309be71a09 Code: Unable to access opcode bytes at 0x7f309be719df. RSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40 R10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> Modules linked in: —[ end trace 0000000000000000 ]— RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869 Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000 —truncated— | 2025-12-09 | not yet calculated | CVE-2023-53829 | https://git.kernel.org/stable/c/1c64dbe8fa3552a340bca6d7fa09468c16ed2a85 https://git.kernel.org/stable/c/bfa7853bb47fee0c17030b377c98cf4ede47ba33 https://git.kernel.org/stable/c/a3ab55746612247ce3dcaac6de66f5ffc055b9df |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leak when showing current settings When retriving a item string with tlmi_setting(), the result has to be freed using kfree(). In current_value_show() however, malformed item strings are not freed, causing a memory leak. Fix this by eliminating the early return responsible for this. | 2025-12-09 | not yet calculated | CVE-2023-53830 | https://git.kernel.org/stable/c/b9396d991abe8d1ac31a043274ab20b49f92c2e6 https://git.kernel.org/stable/c/9071525bfcb1f5674117dbed3eca0cd7b122813b https://git.kernel.org/stable/c/5f99014c19fa50a5719c0bb78143282632675893 https://git.kernel.org/stable/c/a3c4c053014585dcf20f4df954791b74d8a8afcd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: read sk->sk_family once in sk_mc_loop() syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() We have many more similar issues to fix. WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 Modules linked in: CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: events_power_efficient gc_worker RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 RSP: 0018:ffffc90000388530 EFLAGS: 00010246 RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> [<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 [<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline] [<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline] [<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 [<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline] [<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 [<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 [<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 [<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline] [<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 [<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 | 2025-12-09 | not yet calculated | CVE-2023-53831 | https://git.kernel.org/stable/c/7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b https://git.kernel.org/stable/c/e918d0211ffbaf039447334c3460cafee1ce0157 https://git.kernel.org/stable/c/41f10a4d78fe69d685a3172e6884297f233dcf95 https://git.kernel.org/stable/c/895dc4c47171a20035cdaa8d74c1c1e97f2fc974 https://git.kernel.org/stable/c/ed4e0adfa407ab65dd73b8862ebf2f308a0349d2 https://git.kernel.org/stable/c/9036b6342fcdab190d6edce3dd447859c1de90fc https://git.kernel.org/stable/c/b1f5b890b89cb38a6c0bac91984d56cd69808e8c https://git.kernel.org/stable/c/a3e0fdf71bbe031de845e8e08ed7fba49f9c702c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A’s replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 (“md/raid10: Allow skipping recovery when clean arrays are assembled”) | 2025-12-09 | not yet calculated | CVE-2023-53832 | https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42 https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1 https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446 https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800 https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371 https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL ptr deref by checking new_crtc_state intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn’t obtained previously with intel_atomic_get_crtc_state, so we must check it for NULLness here, just as in many other places, where we can’t guarantee that intel_atomic_get_crtc_state was called. We are currently getting NULL ptr deref because of that, so this fix was confirmed to help. (cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8) | 2025-12-09 | not yet calculated | CVE-2023-53833 | https://git.kernel.org/stable/c/dbf25cc21beff4fd2e730573845a266504b21bb2 https://git.kernel.org/stable/c/8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88 https://git.kernel.org/stable/c/a41d985902c153c31c616fe183cf2ee331e95ecb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: ina2xx: avoid NULL pointer dereference on OF device match The affected lines were resulting in a NULL pointer dereference on our platform because the device tree contained the following list of compatible strings: power-sensor@40 { compatible = “ti,ina232”, “ti,ina231”; … }; Since the driver doesn’t declare a compatible string “ti,ina232”, the OF matching succeeds on “ti,ina231”. But the I2C device ID info is populated via the first compatible string, cf. modalias population in of_i2c_get_board_info(). Since there is no “ina232” entry in the legacy I2C device ID table either, the struct i2c_device_id *id pointer in the probe function is NULL. Fix this by using the already populated type variable instead, which points to the proper driver data. Since the name is also wanted, add a generic one to the ina2xx_config table. | 2025-12-09 | not yet calculated | CVE-2023-53834 | https://git.kernel.org/stable/c/a8e2ae6296d56478fb98ae7f739846ed121f154f https://git.kernel.org/stable/c/77b689cc27d489b75d33f1a368356d70eb0ce08c https://git.kernel.org/stable/c/13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1 https://git.kernel.org/stable/c/a41e19cc0d6b6a445a4133170b90271e4a2553dc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix skb refcnt race after locking changes There is a race where skb’s from the sk_psock_backlog can be referenced after userspace side has already skb_consumed() the sk_buff and its refcnt dropped to zer0 causing use after free. The flow is the following: while ((skb = skb_peek(&psock->ingress_skb)) sk_psock_handle_Skb(psock, skb, …, ingress) if (!ingress) … sk_psock_skb_ingress sk_psock_skb_ingress_enqueue(skb) msg->skb = skb sk_psock_queue_msg(psock, msg) skb_dequeue(&psock->ingress_skb) The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is what the application reads when recvmsg() is called. An application can read this anytime after the msg is placed on the queue. The recvmsg hook will also read msg->skb and then after user space reads the msg will call consume_skb(skb) on it effectively free’ing it. But, the race is in above where backlog queue still has a reference to the skb and calls skb_dequeue(). If the skb_dequeue happens after the user reads and free’s the skb we have a use after free. The !ingress case does not suffer from this problem because it uses sendmsg_*(sk, msg) which does not pass the sk_buff further down the stack. The following splat was observed with ‘test_progs -t sockmap_listen’: [ 1022.710250][ T2556] general protection fault, … […] [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80 [ 1022.713653][ T2556] Code: … […] [ 1022.720699][ T2556] Call Trace: [ 1022.720984][ T2556] <TASK> [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0 [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30 [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80 [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300 [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0 [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0 [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10 [ 1022.724386][ T2556] kthread+0xfd/0x130 [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50 [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30 [ 1022.726201][ T2556] </TASK> To fix we add an skb_get() before passing the skb to be enqueued in the engress queue. This bumps the skb->users refcnt so that consume_skb() and kfree_skb will not immediately free the sk_buff. With this we can be sure the skb is still around when we do the dequeue. Then we just need to decrement the refcnt or free the skb in the backlog case which we do by calling kfree_skb() on the ingress case as well as the sendmsg case. Before locking change from fixes tag we had the sock locked so we couldn’t race with user and there was no issue here. | 2025-12-09 | not yet calculated | CVE-2023-53836 | https://git.kernel.org/stable/c/65ad600b9bde68d2d28709943ab00b51ca8f0a1d https://git.kernel.org/stable/c/923877254f002ae87d441382bb1096d9e773d56d https://git.kernel.org/stable/c/e6b5e47adb9166e732cdf7e6e034946e3f89f36d https://git.kernel.org/stable/c/a454d84ee20baf7bd7be90721b9821f73c7d23d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on snapshot tear down In case of early initialization errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork: https://patchwork.freedesktop.org/patch/525099/ | 2025-12-09 | not yet calculated | CVE-2023-53837 | https://git.kernel.org/stable/c/8f0e1ad5327a3499e7f09157cb714302a856e8a4 https://git.kernel.org/stable/c/16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175 https://git.kernel.org/stable/c/8eca32b5b92a0be956a8934d7eddf4f70c107927 https://git.kernel.org/stable/c/19fe79ae816a7e3400df1eb4d27530bf9b8ae258 https://git.kernel.org/stable/c/a465353b9250802f87b97123e33a17f51277f0b1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: synchronize atomic write aborts To fix a race condition between atomic write aborts, I use the inode lock and make COW inode to be re-usable thoroughout the whole atomic file inode lifetime. | 2025-12-09 | not yet calculated | CVE-2023-53838 | https://git.kernel.org/stable/c/102b82708c1523b36d421cb8687746906069bc17 https://git.kernel.org/stable/c/b7724360714642099cec907f54f42e55f5325453 https://git.kernel.org/stable/c/a46bebd502fe1a3bd1d22f64cedd93e7e7702693 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dccp: fix data-race around dp->dccps_mss_cache dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. Same thing in do_dccp_getsockopt(). Add READ_ONCE()/WRITE_ONCE() annotations, and change dccp_sendmsg() to check again dccps_mss_cache after socket is locked. | 2025-12-09 | not yet calculated | CVE-2023-53839 | https://git.kernel.org/stable/c/162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1 https://git.kernel.org/stable/c/2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817 https://git.kernel.org/stable/c/67eebc7a9217f999b779d46fba5312a716f0dc1d https://git.kernel.org/stable/c/6d701c95ee6463abcbb6da543060d6e444554135 https://git.kernel.org/stable/c/f239c9e1d98b313435481b4926e8bdd06197e4d8 https://git.kernel.org/stable/c/a6ddc1c774874dc704f96a99d015dc759627bba7 https://git.kernel.org/stable/c/d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384 https://git.kernel.org/stable/c/a47e598fbd8617967e49d85c49c22f9fc642704c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: early: xhci-dbc: Fix a potential out-of-bound memory access If xdbc_bulk_write() fails, the values in ‘buf’ can be anything. So the string is not guaranteed to be NULL terminated when xdbc_trace() is called. Reserve an extra byte, which will be zeroed automatically because ‘buf’ is a static variable, in order to avoid troubles, should it happen. | 2025-12-09 | not yet calculated | CVE-2023-53840 | https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0 https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5 https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406 https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: report devlink_port_type_warn source device devlink_port_type_warn is scheduled for port devlink and warning when the port type is not set. But from this warning it is not easy found out which device (driver) has no devlink port set. [ 3709.975552] Type was not set for devlink port. [ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 [ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm [ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse [ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 [ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 [ 3710.108437] Workqueue: events devlink_port_type_warn [ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 [ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 [ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 [ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 [ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 [ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 [ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 [ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 [ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 [ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 [ 3710.108456] PKRU: 55555554 [ 3710.108457] Call Trace: [ 3710.108458] <TASK> [ 3710.108459] process_one_work+0x1e2/0x3b0 [ 3710.108466] ? rescuer_thread+0x390/0x390 [ 3710.108468] worker_thread+0x50/0x3a0 [ 3710.108471] ? rescuer_thread+0x390/0x390 [ 3710.108473] kthread+0xdd/0x100 [ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 [ 3710.108479] ret_from_fork+0x1f/0x30 [ 3710.108485] </TASK> [ 3710.108486] —[ end trace 1b4b23cd0c65d6a0 ]— After patch: [ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. [ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. | 2025-12-09 | not yet calculated | CVE-2023-53841 | https://git.kernel.org/stable/c/970c7035f4b03c7be9f49c403ccf6fb0b70039a1 https://git.kernel.org/stable/c/2864cc9a1fd13666ed7fd9064dc3f2c51a85de32 https://git.kernel.org/stable/c/7552020e3aa8283b215ca6b3840e6f9281ee4664 https://git.kernel.org/stable/c/408d40c729cbe3a918a381405df769491a472122 https://git.kernel.org/stable/c/21b9e0efb38eac1fe7bed369e96980cad45aa9c7 https://git.kernel.org/stable/c/a52305a81d6bb74b90b400dfa56455d37872fe4b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove The MBHC resources must be released on component probe failure and removal so can not be tied to the lifetime of the component device. This is specifically needed to allow probe deferrals of the sound card which otherwise fails when reprobing the codec component: snd-sc8280xp sound: ASoC: failed to instantiate card -517 genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 wcd938x_codec audio-codec: mbhc initialization failed wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 snd-sc8280xp sound: ASoC: failed to instantiate card -16 | 2025-12-09 | not yet calculated | CVE-2023-53842 | https://git.kernel.org/stable/c/90ab6446eb522e31421b77bf8f45714f5668f9a3 https://git.kernel.org/stable/c/17feff71d06c96dea1fa72451c20d411e9d5ac8f https://git.kernel.org/stable/c/ce4059e1c0aca972446e06c09ee09a0d2ba5df54 https://git.kernel.org/stable/c/a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c (“net: store netdevs in an xarray”)) refactored the handling of pre-assigned ifindexes and let syzbot surface a latent problem in ovs. ovs does not validate ifindex, making it possible to create netdev ports with negative ifindex values. It’s easy to repro with YNL: $ ./cli.py –spec netlink/specs/ovs_datapath.yaml –do new –json ‘{“upcall-pid”: 1, “name”:”my-dp”}’ $ ./cli.py –spec netlink/specs/ovs_vport.yaml –do new –json ‘{“upcall-pid”: “00000001”, “name”: “some-port0”, “dp-ifindex”:3,”ifindex”:4294901760,”type”:2}’ $ ip link show -65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff … Validate the inputs. Now the second command correctly returns: $ ./cli.py –spec netlink/specs/ovs_vport.yaml –do new –json ‘{“upcall-pid”: “00000001”, “name”: “some-port0”, “dp-ifindex”:3,”ifindex”:4294901760,”type”:2}’ lib.ynl.NlError: Netlink error: Numerical result out of range nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 error: -34 extack: {‘msg’: ‘integer out of range’, ‘unknown’: [[type:4 len:36] b’x0cx00x02x00x00x00x00x00x00x00x00x00x0cx00x03x00xffxffxffx7fx00x00x00x00x08x00x01x00x08x00x00x00′], ‘bad-attr’: ‘.ifindex’} Accept 0 since it used to be silently ignored. | 2025-12-09 | not yet calculated | CVE-2023-53843 | https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don’t leak a resource on swapout move error If moving the bo to system for swapout failed, we were leaking a resource. Fix. | 2025-12-09 | not yet calculated | CVE-2023-53844 | https://git.kernel.org/stable/c/af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834 https://git.kernel.org/stable/c/f037f6038736bd038ddb9c72de979a08cc1ee3b5 https://git.kernel.org/stable/c/4a5b37ea6797d7a53e6dd004aa37e149f40199ce https://git.kernel.org/stable/c/a590f03d8de7c4cb7ce4916dc7f2fd10711faabe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix infinite loop in nilfs_mdt_get_block() If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata file is invalid, nilfs_bmap_lookup_at_level() may return the same internal return code as -ENOENT, meaning the block does not exist in the metadata file. This duplication of return codes confuses nilfs_mdt_get_block(), causing it to read and create a metadata block indefinitely. In particular, if this happens to the inode metadata file, ifile, semaphore i_rwsem can be left held, causing task hangs in lock_mount. Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block address translation failures with -ENOENT as metadata corruption instead of returning the error code. | 2025-12-09 | not yet calculated | CVE-2023-53845 | https://git.kernel.org/stable/c/cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2 https://git.kernel.org/stable/c/d536f9976bb04e9c84cf80045a9355975e418f41 https://git.kernel.org/stable/c/fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0 https://git.kernel.org/stable/c/8a89d36a07afe1ed4564df51fefa2bb556c85412 https://git.kernel.org/stable/c/8d07d9119642ba43d21f8ba64d51d01931096b20 https://git.kernel.org/stable/c/25457d07c8146e57d28906c663def033dc425af6 https://git.kernel.org/stable/c/34c5f17222b50c79848bb03ec8811648813e6a45 https://git.kernel.org/stable/c/5b29661669cb65b9750a3cf70ed3eaf947b92167 https://git.kernel.org/stable/c/a6a491c048882e7e424d407d32cba0b52d9ef2bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000 CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944 f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154 f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721 f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749 f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799 f2fs_truncate include/linux/fs.h:825 [inline] f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006 notify_change+0xb2c/0x1180 fs/attr.c:483 do_truncate+0x143/0x200 fs/open.c:66 handle_truncate fs/namei.c:3295 [inline] do_open fs/namei.c:3640 [inline] path_openat+0x2083/0x2750 fs/namei.c:3791 do_filp_open+0x1ba/0x410 fs/namei.c:3818 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1448 [inline] __se_sys_creat fs/open.c:1442 [inline] __x64_sys_creat+0xcd/0x120 fs/open.c:1442 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is, inodeA references inodeB via inodeB’s ino, once inodeA is truncated, it calls truncate_dnode() to truncate data blocks in inodeB’s node page, it traverse mapping data from node->i.i_addr[0] to node->i.i_addr[ADDRS_PER_BLOCK() – 1], result in out-of-boundary access. This patch fixes to add sanity check on dnode page in truncate_dnode(), so that, it can help to avoid triggering such issue, and once it encounters such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE error into superblock, later fsck can detect such issue and try repairing. Also, it removes f2fs_truncate_data_blocks() for cleanup due to the function has only one caller, and uses f2fs_truncate_data_blocks_range() instead. | 2025-12-09 | not yet calculated | CVE-2023-53846 | https://git.kernel.org/stable/c/af0f716ad3b039cab9d426da63a5ee6c88751185 https://git.kernel.org/stable/c/a6ec83786ab9f13f25fb18166dee908845713a95 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Fix uninit-value in alauda_check_media() Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage: BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 The problem is that alauda_check_media() doesn’t verify that its USB transfer succeeded before trying to use the received data. What should happen if the transfer fails isn’t entirely clear, but a reasonably conservative approach is to pretend that no media is present. A similar problem exists in a usb_stor_dbg() call in alauda_get_media_status(). In this case, when an error occurs the call is redundant, because usb_stor_ctrl_transfer() already will print a debugging message. Finally, unrelated to the uninitialized memory access, is the fact that alauda_check_media() performs DMA to a buffer on the stack. Fortunately usb-storage provides a general purpose DMA-able buffer for uses like this. We’ll use it instead. | 2025-12-09 | not yet calculated | CVE-2023-53847 | https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0 https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2 https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix a deadlock in r5l_exit_log() Commit b13015af94cf (“md/raid5-cache: Clear conf->log after finishing work”) introduce a new problem: // caller hold reconfig_mutex r5l_exit_log flush_work(&log->disable_writeback_work) r5c_disable_writeback_async wait_event /* * conf->log is not NULL, and mddev_trylock() * will fail, wait_event() can never pass. */ conf->log = NULL Fix this problem by setting ‘config->log’ to NULL before wake_up() as it used to be, so that wait_event() from r5c_disable_writeback_async() can exist. In the meantime, move forward md_unregister_thread() so that null-ptr-deref this commit fixed can still be fixed. | 2025-12-09 | not yet calculated | CVE-2023-53848 | https://git.kernel.org/stable/c/ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b https://git.kernel.org/stable/c/71cf23271f015a57038bdc4669952096f9fe5500 https://git.kernel.org/stable/c/c406984738215dc20ac2dc63e49d70f20797730e https://git.kernel.org/stable/c/a705b11b358dee677aad80630e7608b2d5f56691 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix workqueue leak on bind errors Make sure to destroy the workqueue also in case of early errors during bind (e.g. a subcomponent failing to bind). Since commit c3b790ea07a1 (“drm: Manage drm_mode_config_init with drmm_”) the mode config will be freed when the drm device is released also when using the legacy interface, but add an explicit cleanup for consistency and to facilitate backporting. Patchwork: https://patchwork.freedesktop.org/patch/525093/ | 2025-12-09 | not yet calculated | CVE-2023-53849 | https://git.kernel.org/stable/c/6e1476225ec02eeebc4b79f793506f80bc4bca8f https://git.kernel.org/stable/c/28e34db2f3e0130872e2384dd9df9f82bd89e967 https://git.kernel.org/stable/c/8551c4b7c8ffb42f759547e5c39da5980abf2432 https://git.kernel.org/stable/c/a75b49db6529b2af049eafd938fae888451c3685 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: use internal state to free traffic IRQs If the system tries to close the netdev while iavf_reset_task() is running, __LINK_STATE_START will be cleared and netif_running() will return false in iavf_reinit_interrupt_scheme(). This will result in iavf_free_traffic_irqs() not being called and a leak as follows: [7632.489326] remove_proc_entry: removing non-empty directory ‘irq/999’, leaking at least ‘iavf-enp24s0f0v0-TxRx-0’ [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 is shown when pci_disable_msix() is later called. Fix by using the internal adapter state. The traffic IRQs will always exist if state == __IAVF_RUNNING. | 2025-12-09 | not yet calculated | CVE-2023-53850 | https://git.kernel.org/stable/c/6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff https://git.kernel.org/stable/c/5e9db32eec628481f5da97a5b1aedb84a5240d18 https://git.kernel.org/stable/c/a77ed5c5b768e9649be240a2d864e5cd9c6a2015 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destroyed and recreated upon next attempt. But the struct device which the devres is tied to is the DPUs (drm_dev->dev), which may be happen after the DP controller is torn down. Indications of this can be seen in the commonly seen EDID-hexdump full of zeros in the log, or the occasional/rare KASAN fault where the panel’s attempt to read the EDID information causes a use after free on DP resources. It’s tempting to move the devres to the DP controller’s struct device, but the resources used by the device(s) on the aux bus are explicitly torn down in the error path. The KASAN-reported use-after-free also remains, as the DP aux “module” explicitly frees its devres-allocated memory in this code path. As such, explicitly depopulate the aux bus in the error path, and in the component unbind path, to avoid these issues. Patchwork: https://patchwork.freedesktop.org/patch/542163/ | 2025-12-09 | not yet calculated | CVE-2023-53851 | https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33 https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291 https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_secret_store Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0xffff8886376ea800 (size 64): comm “check”, pid 22048, jiffies 4344316705 (age 92.199s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc unreferenced object 0xffff8886376eaf00 (size 64): comm “check”, pid 22048, jiffies 4344316736 (age 92.168s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-09 | not yet calculated | CVE-2023-53852 | https://git.kernel.org/stable/c/2e9b141307554521d60fecf6bf1d2edc8dd0181d https://git.kernel.org/stable/c/c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa https://git.kernel.org/stable/c/6a5eda5017959541ab82c5d56bcf784b8294e298 https://git.kernel.org/stable/c/a836ca33c5b07d34dd5347af9f64d25651d12674 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate accesses to nlk->cb_running Both netlink_recvmsg() and netlink_native_seq_show() read nlk->cb_running locklessly. Use READ_ONCE() there. Add corresponding WRITE_ONCE() to netlink_dump() and __netlink_dump_start() syzbot reported: BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0: __netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399 netlink_dump_start include/linux/netlink.h:308 [inline] rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] sock_write_iter+0x1aa/0x230 net/socket.c:1138 call_write_iter include/linux/fs.h:1851 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x463/0x760 fs/read_write.c:584 ksys_write+0xeb/0x1a0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x42/0x50 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1: netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022 sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017 ____sys_recvmsg+0x2db/0x310 net/socket.c:2718 ___sys_recvmsg net/socket.c:2762 [inline] do_recvmmsg+0x2e5/0x710 net/socket.c:2856 __sys_recvmmsg net/socket.c:2935 [inline] __do_sys_recvmmsg net/socket.c:2958 [inline] __se_sys_recvmmsg net/socket.c:2951 [inline] __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x00 -> 0x01 | 2025-12-09 | not yet calculated | CVE-2023-53853 | https://git.kernel.org/stable/c/e25e9d8a210ed78bdf0f364576dbee13aefadbf8 https://git.kernel.org/stable/c/840a647499b093621167de56ffa8756dfc69f242 https://git.kernel.org/stable/c/a507022c862e10744a92c4bf5709775450a110ad https://git.kernel.org/stable/c/f92557f79a60cb142258f5fa7194f327573fadd8 https://git.kernel.org/stable/c/1d5c8b01f1df0461256a6d75854ed806f50645a3 https://git.kernel.org/stable/c/a115dadf8995b1730c36c474401d97355705cb88 https://git.kernel.org/stable/c/02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3 https://git.kernel.org/stable/c/a939d14919b799e6fff8a9c80296ca229ba2f8a4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path When devm runs function in the “remove” path for a device it runs them in the reverse order. That means that if you have parts of your driver that aren’t using devm or are using “roll your own” devm w/ devm_add_action_or_reset() you need to keep that in mind. The mt8186 audio driver didn’t quite get this right. Specifically, in mt8186_init_clock() it called mt8186_audsys_clk_register() and then went on to call a bunch of other devm function. The caller of mt8186_init_clock() used devm_add_action_or_reset() to call mt8186_deinit_clock() but, because of the intervening devm functions, the order was wrong. Specifically at probe time, the order was: 1. mt8186_audsys_clk_register() 2. afe_priv->clk = devm_kcalloc(…) 3. afe_priv->clk[i] = devm_clk_get(…) At remove time, the order (which should have been 3, 2, 1) was: 1. mt8186_audsys_clk_unregister() 3. Free all of afe_priv->clk[i] 2. Free afe_priv->clk The above seemed to be causing a use-after-free. Luckily, it’s easy to fix this by simply using devm more correctly. Let’s move the devm_add_action_or_reset() to the right place. In addition to fixing the use-after-free, code inspection shows that this fixes a leak (missing call to mt8186_audsys_clk_unregister()) that would have happened if any of the syscon_regmap_lookup_by_phandle() calls in mt8186_init_clock() had failed. | 2025-12-09 | not yet calculated | CVE-2023-53854 | https://git.kernel.org/stable/c/3e56a1c04882852e3e7d6c59756a16211ebbc457 https://git.kernel.org/stable/c/dffd9e2b57cb845930fa885aa634a847ba2130dd https://git.kernel.org/stable/c/a93d2afd3f77a7331271a0f25c6a11003db69b3c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove When the tagging protocol in current use is “ocelot-8021q” and we unbind the driver, we see this splat: $ echo ‘0000:00:00.2’ > /sys/bus/pci/drivers/fsl_enetc/unbind mscc_felix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down mscc_felix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fsl_enetc 0000:00:00.2 eno2: left promiscuous mode mscc_felix 0000:00:00.5: Link is Down ————[ cut here ]———— RTNL: assertion failed at net/dsa/tag_8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsa_tag_8021q_unregister+0x12c/0x1a0 lr : dsa_tag_8021q_unregister+0x12c/0x1a0 Call trace: dsa_tag_8021q_unregister+0x12c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 —[ end trace 0000000000000000 ]— ————[ cut here ]———— RTNL: assertion failed at net/8021q/vlan_core.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlan_vid_del+0x1b8/0x1f0 lr : vlan_vid_del+0x1b8/0x1f0 dsa_tag_8021q_unregister+0x8c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 DSA: tree 0 torn down This was somewhat not so easy to spot, because “ocelot-8021q” is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felix_tag_npi_teardown() does not require rtnl_lock() to be held. | 2025-12-09 | not yet calculated | CVE-2023-53855 | https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491 https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: of: overlay: Call of_changeset_init() early When of_overlay_fdt_apply() fails, the changeset may be partially applied, and the caller is still expected to call of_overlay_remove() to clean up this partial state. However, of_overlay_apply() calls of_resolve_phandles() before init_overlay_changeset(). Hence if the overlay fails to apply due to an unresolved symbol, the overlay_changeset.cset.entries list is still uninitialized, and cleanup will crash with a NULL-pointer dereference in overlay_removal_is_ok(). Fix this by moving the call to of_changeset_init() from init_overlay_changeset() to of_overlay_fdt_apply(), where all other early initialization is done. | 2025-12-09 | not yet calculated | CVE-2023-53856 | https://git.kernel.org/stable/c/01bb96ad38089f5cc6de7746dac13437d35eb1dc https://git.kernel.org/stable/c/3fb210cd521c9efcb211e9f5ce40fc907200bf13 https://git.kernel.org/stable/c/be86241bf5d1efd16d8a7231c13b33459c5d755d https://git.kernel.org/stable/c/c403c81b577a67fe9ec6a2e89d143256487be50f https://git.kernel.org/stable/c/a9515ff4fb142b690a0d2b58782b15903b990dba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report ‘./test_progs -t test_local_storage’ reported a splat: [ 27.137569] ============================= [ 27.138122] [ BUG: Invalid wait context ] [ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O [ 27.139542] —————————– [ 27.140106] test_progs/1729 is trying to lock: [ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130 [ 27.141834] other info that might help us debug this: [ 27.142437] context-{5:5} [ 27.142856] 2 locks held by test_progs/1729: [ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){….}-{1:3}, at: rcu_lock_acquire+0x4/0x40 [ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0 [ 27.145855] stack backtrace: [ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247 [ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 27.149127] Call Trace: [ 27.149490] <TASK> [ 27.149867] dump_stack_lvl+0x130/0x1d0 [ 27.152609] dump_stack+0x14/0x20 [ 27.153131] __lock_acquire+0x1657/0x2220 [ 27.153677] lock_acquire+0x1b8/0x510 [ 27.157908] local_lock_acquire+0x29/0x130 [ 27.159048] obj_cgroup_charge+0xf4/0x3c0 [ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0 [ 27.161931] __kmem_cache_alloc_node+0x51/0x210 [ 27.163557] __kmalloc+0xaa/0x210 [ 27.164593] bpf_map_kzalloc+0xbc/0x170 [ 27.165147] bpf_selem_alloc+0x130/0x510 [ 27.166295] bpf_local_storage_update+0x5aa/0x8e0 [ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0 [ 27.169199] bpf_map_update_value+0x415/0x4f0 [ 27.169871] map_update_elem+0x413/0x550 [ 27.170330] __sys_bpf+0x5e9/0x640 [ 27.174065] __x64_sys_bpf+0x80/0x90 [ 27.174568] do_syscall_64+0x48/0xa0 [ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 27.175932] RIP: 0033:0x7effb40e41ad [ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8 [ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141 [ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad [ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002 [ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788 [ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000 [ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000 [ 27.184958] </TASK> It complains about acquiring a local_lock while holding a raw_spin_lock. It means it should not allocate memory while holding a raw_spin_lock since it is not safe for RT. raw_spin_lock is needed because bpf_local_storage supports tracing context. In particular for task local storage, it is easy to get a “current” task PTR_TO_BTF_ID in tracing bpf prog. However, task (and cgroup) local storage has already been moved to bpf mem allocator which can be used after raw_spin_lock. The splat is for the sk storage. For sk (and inode) storage, it has not been moved to bpf mem allocator. Using raw_spin_lock or not, kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context. However, the local storage helper requires a verifier accepted sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running a bpf prog in a kzalloc unsafe context and also able to hold a verifier accepted sk pointer) could happen. This patch avoids kzalloc after raw_spin_lock to silent the splat. There is an existing kzalloc before the raw_spin_lock. At that point, a kzalloc is very likely required because a lookup has just been done before. Thus, this patch always does the kzalloc before acq —truncated— | 2025-12-09 | not yet calculated | CVE-2023-53857 | https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47 https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error If clk_get_rate() fails, the clk that has just been allocated needs to be freed. | 2025-12-09 | not yet calculated | CVE-2023-53858 | https://git.kernel.org/stable/c/755289d67eb9a74ae71bb624902e979c66859444 https://git.kernel.org/stable/c/f47e6631a8fcc6fe05b8644aa4222a60f3b0a927 https://git.kernel.org/stable/c/30962268fa1a7466413b3d83037688129021d470 https://git.kernel.org/stable/c/a49e5a05121c8bc471a57b4916c5393749c24de5 https://git.kernel.org/stable/c/073dbbe5743779faf24f233cc95459b47c7198dd https://git.kernel.org/stable/c/34f5b826dd509b76644f83094b4af7e7668a6a38 https://git.kernel.org/stable/c/1694fc8ad734e2909a9e40d2be03cc4423e0bee6 https://git.kernel.org/stable/c/a9c09546e903f1068acfa38e1ee18bded7114b37 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/idle: mark arch_cpu_idle() noinstr linux-next commit (“cpuidle: tracing: Warn about !rcu_is_watching()”) adds a new warning which hits on s390’s arch_cpu_idle() function: RCU not on for: arch_cpu_idle+0x0/0x28 WARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258 Modules linked in: CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4 Hardware name: IBM 8561 T01 703 (z/VM 7.3.0) Krnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000 0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000 0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0 0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8 Krnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652 00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58 #00000000002b55bc: af000000 mc 0,0 >00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e 00000000002b55c4: 0707 bcr 0,%r7 00000000002b55c6: 0707 bcr 0,%r7 00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15) 00000000002b55ce: b90400ef lgr %r14,%r15 Call Trace: [<00000000002b55c0>] arch_ftrace_ops_list_func+0x250/0x258 ([<00000000002b55bc>] arch_ftrace_ops_list_func+0x24c/0x258) [<0000000000f5f0fc>] ftrace_common+0x1c/0x20 [<00000000001044f6>] arch_cpu_idle+0x6/0x28 [<0000000000f4acf6>] default_idle_call+0x76/0x128 [<00000000001cc374>] do_idle+0xf4/0x1b0 [<00000000001cc6ce>] cpu_startup_entry+0x36/0x40 [<0000000000119d00>] smp_start_secondary+0x140/0x150 [<0000000000f5d2ae>] restart_int_handler+0x6e/0x90 Mark arch_cpu_idle() noinstr like all other architectures with CONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this. | 2025-12-09 | not yet calculated | CVE-2023-53859 | https://git.kernel.org/stable/c/49aa49952116b8fd56bfb1e8c69bce179f49bece https://git.kernel.org/stable/c/611c390217106c46e24e1af3db83187339d447ea https://git.kernel.org/stable/c/fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc https://git.kernel.org/stable/c/a9cbc1b471d291c865907542394f1c483b93a811 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: don’t attempt to queue IO under RCU protection dm looks up the table for IO based on the request type, with an assumption that if the request is marked REQ_NOWAIT, it’s fine to attempt to submit that IO while under RCU read lock protection. This is not OK, as REQ_NOWAIT just means that we should not be sleeping waiting on other IO, it does not mean that we can’t potentially schedule. A simple test case demonstrates this quite nicely: int main(int argc, char *argv[]) { struct iovec iov; int fd; fd = open(“/dev/dm-0”, O_RDONLY | O_DIRECT); posix_memalign(&iov.iov_base, 4096, 4096); iov.iov_len = 4096; preadv2(fd, &iov, 1, 0, RWF_NOWAIT); return 0; } which will instantly spew: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 INFO: lockdep is turned off. CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x11d/0x1b0 __might_resched+0x3c3/0x5e0 ? preempt_count_sub+0x150/0x150 mempool_alloc+0x1e2/0x390 ? mempool_resize+0x7d0/0x7d0 ? lock_sync+0x190/0x190 ? lock_release+0x4b7/0x670 ? internal_get_user_pages_fast+0x868/0x2d40 bio_alloc_bioset+0x417/0x8c0 ? bvec_alloc+0x200/0x200 ? internal_get_user_pages_fast+0xb8c/0x2d40 bio_alloc_clone+0x53/0x100 dm_submit_bio+0x27f/0x1a20 ? lock_release+0x4b7/0x670 ? blk_try_enter_queue+0x1a0/0x4d0 ? dm_dax_direct_access+0x260/0x260 ? rcu_is_watching+0x12/0xb0 ? blk_try_enter_queue+0x1cc/0x4d0 __submit_bio+0x239/0x310 ? __bio_queue_enter+0x700/0x700 ? kvm_clock_get_cycles+0x40/0x60 ? ktime_get+0x285/0x470 submit_bio_noacct_nocheck+0x4d9/0xb80 ? should_fail_request+0x80/0x80 ? preempt_count_sub+0x150/0x150 ? lock_release+0x4b7/0x670 ? __bio_add_page+0x143/0x2d0 ? iov_iter_revert+0x27/0x360 submit_bio_noacct+0x53e/0x1b30 submit_bio_wait+0x10a/0x230 ? submit_bio_wait_endio+0x40/0x40 __blkdev_direct_IO_simple+0x4f8/0x780 ? blkdev_bio_end_io+0x4c0/0x4c0 ? stack_trace_save+0x90/0xc0 ? __bio_clone+0x3c0/0x3c0 ? lock_release+0x4b7/0x670 ? lock_sync+0x190/0x190 ? atime_needs_update+0x3bf/0x7e0 ? timestamp_truncate+0x21b/0x2d0 ? inode_owner_or_capable+0x240/0x240 blkdev_direct_IO.part.0+0x84a/0x1810 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 ? blkdev_read_iter+0x40d/0x530 ? reacquire_held_locks+0x4e0/0x4e0 ? __blkdev_direct_IO_simple+0x780/0x780 ? rcu_is_watching+0x12/0xb0 ? __mark_inode_dirty+0x297/0xd50 ? preempt_count_add+0x72/0x140 blkdev_read_iter+0x2a4/0x530 do_iter_readv_writev+0x2f2/0x3c0 ? generic_copy_file_range+0x1d0/0x1d0 ? fsnotify_perm.part.0+0x25d/0x630 ? security_file_permission+0xd8/0x100 do_iter_read+0x31b/0x880 ? import_iovec+0x10b/0x140 vfs_readv+0x12d/0x1a0 ? vfs_iter_read+0xb0/0xb0 ? rcu_is_watching+0x12/0xb0 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 do_preadv+0x1b3/0x260 ? do_readv+0x370/0x370 __x64_sys_preadv2+0xef/0x150 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5af41ad806 Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55 RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806 RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003 RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001 </TASK> where in fact it is —truncated— | 2025-12-09 | not yet calculated | CVE-2023-53860 | https://git.kernel.org/stable/c/d7b2abd87d1fcdb47811f90090a363e7ca15cb14 https://git.kernel.org/stable/c/699775e9338adcd4eaedea000d32c60250c3114d https://git.kernel.org/stable/c/a9ce385344f916cd1c36a33905e564f5581beae9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: correct grp validation in ext4_mb_good_group Group corruption check will access memory of grp and will trigger kernel crash if grp is NULL. So do NULL check before corruption check. | 2025-12-09 | not yet calculated | CVE-2023-53861 | https://git.kernel.org/stable/c/245759d987b617d183061db6ab8886ebb5cc78e9 https://git.kernel.org/stable/c/3e24082f16825279054a2b8a5e668d65070bbf07 https://git.kernel.org/stable/c/772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d https://git.kernel.org/stable/c/83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4 https://git.kernel.org/stable/c/e69d665987db0e37896adf78a7e718f9a0a75d3f https://git.kernel.org/stable/c/a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create Syzbot found a kernel BUG in hfs_bnode_put(): kernel BUG at fs/hfs/bnode.c:466! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466 Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293 RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1 R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80 R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hfs_write_inode+0x1bc/0xb40 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652 writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878 __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949 wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054 wb_check_start_all fs/fs-writeback.c:2176 [inline] wb_do_writeback fs/fs-writeback.c:2202 [inline] wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235 process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> The BUG_ON() is triggered at here: /* Dispose of resources used by a node */ void hfs_bnode_put(struct hfs_bnode *node) { if (node) { <skipped> BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!! <skipped> } } By tracing the refcnt, I found the node is created by hfs_bmap_alloc() with refcnt 1. Then the node is used by hfs_btree_write(). There is a missing of hfs_bnode_get() after find the node. The issue happened in following path: <alloc> hfs_bmap_alloc hfs_bnode_find __hfs_bnode_create <- allocate a new node with refcnt 1. hfs_bnode_put <- decrease the refcnt <write> hfs_btree_write hfs_bnode_find __hfs_bnode_create hfs_bnode_findhash <- find the node without refcnt increased. hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0. | 2025-12-09 | not yet calculated | CVE-2023-53862 | https://git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8e https://git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22 https://git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410 https://git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143ef https://git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5 https://git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940 https://git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2a https://git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: do not hard code device address lenth in fdb dumps syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_len. [1] (Case of a device where dev->addr_len = 4) BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copyout+0xb8/0x100 lib/iov_iter.c:169 _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 copy_to_iter include/linux/uio.h:206 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg net/socket.c:1040 [inline] ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: __nla_put lib/nlattr.c:1009 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1067 nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] __hw_addr_create net/core/dev_addr_lists.c:60 [inline] __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:867 [inline] dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 addrconf_type_change net/ipv6/addrconf.c:3731 [inline] addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1935 [inline] call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 do_set_master net/core/rtnetlink.c:2626 [inline] rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] __rtnl_newlink net/core/rtnetlink.c:3660 [inline] rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf28/0x1230 net/netlink/af_ —truncated— | 2025-12-09 | not yet calculated | CVE-2023-53863 | https://git.kernel.org/stable/c/61d1bf3c34bf5fe936c50d1a4bc460babcc85e88 https://git.kernel.org/stable/c/c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3 https://git.kernel.org/stable/c/bd1de6107f10e7d4c2aabe3397b58d63672fc511 https://git.kernel.org/stable/c/44db85c6e1a184b99a2cdf56b525ac63c4962c22 https://git.kernel.org/stable/c/619384319b137908d1008c92426c9daa95c06b90 https://git.kernel.org/stable/c/e9331c8fa4c69f09d2c71682af75586f77266e81 https://git.kernel.org/stable/c/b6f2d4618fc697886ad41e215ae20638153e42d0 https://git.kernel.org/stable/c/73862118bd9dec850aa8e775145647ddd23aedf8 https://git.kernel.org/stable/c/aa5406950726e336c5c9585b09799a734b6e77bf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() When disabling overlay plane in mxsfb_plane_overlay_atomic_update(), overlay plane’s framebuffer pointer is NULL. So, dereferencing it would cause a kernel Oops(NULL pointer dereferencing). Fix the issue by disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead. | 2025-12-09 | not yet calculated | CVE-2023-53864 | https://git.kernel.org/stable/c/8bf2d4ca521d3acb57fc1607386e749b3cc92aaf https://git.kernel.org/stable/c/0f98de0a11d29821d9448114178ddc1b1fe32a18 https://git.kernel.org/stable/c/aa656d48e871a1b062e1bbf9474d8b831c35074c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix warning when putting transaction with qgroups enabled after abort If we have a transaction abort with qgroups enabled we get a warning triggered when doing the final put on the transaction, like this: [552.6789] ————[ cut here ]———— [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] [552.6817] Modules linked in: btrfs blake2b_generic xor (…) [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] [552.6821] Code: bd a0 01 00 (…) [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [552.6822] Call Trace: [552.6822] <TASK> [552.6822] ? __warn+0x80/0x130 [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6824] ? report_bug+0x1f4/0x200 [552.6824] ? handle_bug+0x42/0x70 [552.6824] ? exc_invalid_op+0x14/0x70 [552.6824] ? asm_exc_invalid_op+0x16/0x20 [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 [552.6828] ? try_to_wake_up+0x94/0x5e0 [552.6828] ? __pfx_process_timeout+0x10/0x10 [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] [552.6832] kthread+0xee/0x120 [552.6832] ? __pfx_kthread+0x10/0x10 [552.6832] ret_from_fork+0x29/0x50 [552.6832] </TASK> [552.6832] —[ end trace 0000000000000000 ]— This corresponds to this line of code: void btrfs_put_transaction(struct btrfs_transaction *transaction) { (…) WARN_ON(!RB_EMPTY_ROOT( &transaction->delayed_refs.dirty_extent_root)); (…) } The warning happens because btrfs_qgroup_destroy_extent_records(), called in the transaction abort path, we free all entries from the rbtree “dirty_extent_root” with rbtree_postorder_for_each_entry_safe(), but we don’t actually empty the rbtree – it’s still pointing to nodes that were freed. So set the rbtree’s root node to NULL to avoid this warning (assign RB_ROOT). | 2025-12-09 | not yet calculated | CVE-2023-53865 | https://git.kernel.org/stable/c/ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0 https://git.kernel.org/stable/c/d2c667cc18314c9bad3ec86ae071c0342132aa09 https://git.kernel.org/stable/c/c9060caab4135dd660c4676d1ea33a6e0d3fc09d https://git.kernel.org/stable/c/89e994688e965813ec0a09fb30b87fb8cee06474 https://git.kernel.org/stable/c/62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb https://git.kernel.org/stable/c/aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-compress: Reposition and add pcm_mutex If panic_on_warn is set and compress stream(DPCM) is started, then kernel panic occurred because card->pcm_mutex isn’t held appropriately. In the following functions, warning were issued at this line “snd_soc_dpcm_mutex_assert_held”. static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe, struct snd_soc_pcm_runtime *be, int stream) { … snd_soc_dpcm_mutex_assert_held(fe); … } void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream) { … snd_soc_dpcm_mutex_assert_held(fe); … } void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd, int stream, int action) { … snd_soc_dpcm_mutex_assert_held(rtd); … } int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir, int event) { … snd_soc_dpcm_mutex_assert_held(fe); … } These functions are called by soc_compr_set_params_fe, soc_compr_open_fe and soc_compr_free_fe without pcm_mutex locking. And this is call stack. [ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750 [ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750 [ 414.527945][ T2179] Call trace: [ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750 [ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc [ 414.527972][ T2179] snd_compr_open+0x180/0x248 [ 414.527981][ T2179] snd_open+0x15c/0x194 [ 414.528003][ T2179] chrdev_open+0x1b0/0x220 [ 414.528023][ T2179] do_dentry_open+0x30c/0x594 [ 414.528045][ T2179] vfs_open+0x34/0x44 [ 414.528053][ T2179] path_openat+0x914/0xb08 [ 414.528062][ T2179] do_filp_open+0xc0/0x170 [ 414.528068][ T2179] do_sys_openat2+0x94/0x18c [ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4 [ 414.528084][ T2179] invoke_syscall+0x48/0x10c [ 414.528094][ T2179] el0_svc_common+0xbc/0x104 [ 414.528099][ T2179] do_el0_svc+0x34/0xd8 [ 414.528103][ T2179] el0_svc+0x34/0xc4 [ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc [ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4 [ 414.528142][ T2179] Kernel panic – not syncing: panic_on_warn set … So, I reposition and add pcm_mutex to resolve lockdep error. | 2025-12-09 | not yet calculated | CVE-2023-53866 | https://git.kernel.org/stable/c/9576b7ccc20365d27c26c494651c89360a85bbdc https://git.kernel.org/stable/c/9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651 https://git.kernel.org/stable/c/37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d https://git.kernel.org/stable/c/aa9ff6a4955fdba02b54fbc4386db876603703b7 |
| TianoCore–EDK2 | EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality. | 2025-12-09 | not yet calculated | CVE-2024-38798 | https://github.com/tianocore/edk2/security/advisories/GHSA-q2c6-37h5-7cwf |
| apprain–appRain CMF | appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site’s uploads directory. | 2025-12-10 | not yet calculated | CVE-2024-58279 | ExploitDB-52041 Official Vendor Homepage Software Link VulnCheck Advisory: appRain CMF 4.0.5 Authenticated Remote Code Execution via Filemanager Upload |
| CMSimple–CMSimple | CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ‘,php’ to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server. | 2025-12-10 | not yet calculated | CVE-2024-58280 | ExploitDB-52040 CMSimple Homepage CMSimple Download Page VulnCheck Advisory: CMSimple 5.15 Remote Command Execution via Extensions Configuration |
| dotclear–Dotclear | Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. | 2025-12-10 | not yet calculated | CVE-2024-58281 | ExploitDB-52037 Vendor Homepage Software Link VulnCheck Advisory: Dotclear 2.29 Remote Code Execution via Authenticated File Upload |
| Serendipity–Serendipity | Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server. | 2025-12-10 | not yet calculated | CVE-2024-58282 | ExploitDB-52036 Vendor Homepage Software Link VulnCheck Advisory: Serendipity 2.5.0 Remote Code Execution via Authenticated Media Upload |
| wbce–WBCE CMS | WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter. | 2025-12-10 | not yet calculated | CVE-2024-58283 | ExploitDB-52039 WBCE CMS Homepage WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.6.2 Remote Code Execution via Elfinder File Upload |
| PopojiCMS–PopojiCMS | PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter. | 2025-12-10 | not yet calculated | CVE-2024-58284 | ExploitDB-52022 Official Vendor Homepage Product Archive Project Repository VulnCheck Advisory: PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings |
| chyrp–Chyrp | Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks. | 2025-12-10 | not yet calculated | CVE-2024-58285 | ExploitDB-52013 Chyrp GitHub Repository Chyrp Software Archive VulnCheck Advisory: Chyrp 2.5.2 Stored Cross-Site Scripting Vulnerability via Post Title |
| vexorian–dizqueTV | dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation. | 2025-12-11 | not yet calculated | CVE-2024-58286 | ExploitDB-52079 DizqueTV GitHub Repository VulnCheck Advisory: dizqueTV 1.5.3 Remote Code Execution via FFMPEG Executable Path |
| rengine–reNgine | reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration. | 2025-12-11 | not yet calculated | CVE-2024-58287 | ExploitDB-52081 Rengine Wiki Homepage Rengine GitHub Repository VulnCheck Advisory: reNgine 2.2.0 Authenticated Command Injection via Scan Engine Configuration |
| Genexus–Genexus Protection Server | Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations. | 2025-12-11 | not yet calculated | CVE-2024-58288 | ExploitDB-52065 Official Genexus Homepage Genexus Software Download Center VulnCheck Advisory: Genexus Protection Server 9.7.2.10 Unquoted Service Path Privilege Escalation |
| microweber–Microweber | Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript. | 2025-12-11 | not yet calculated | CVE-2024-58289 | ExploitDB-52058 Microweber Homepage Microweber GitHub Repository VulnCheck Advisory: Microweber 2.0.15 Stored Cross-Site Scripting via User Profile Fields |
| Elements–Xhibiter NFT Marketplace | Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the ‘id’ parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or manipulate database information by sending crafted payloads to the collections page. | 2025-12-11 | not yet calculated | CVE-2024-58290 | ExploitDB-52060 Official Vendor Homepage VulnCheck Advisory: Xhibiter NFT Marketplace 1.10.2 SQL Injection via Collections Endpoint |
| Flatboard–Flatboard | Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads that execute when other users view the forum, potentially stealing session cookies and executing client-side scripts. | 2025-12-11 | not yet calculated | CVE-2024-58291 | ExploitDB-52054 Flatboard Homepage Flatboard Support Page VulnCheck Advisory: Flatboard 3.2 Authenticated Stored Cross-Site Scripting via Forum Information Field |
| xmbforum2–XMB Forum | XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered. | 2025-12-11 | not yet calculated | CVE-2024-58292 | ExploitDB-52044 XMB Forum Homepage VulnCheck Advisory: XMB Forum 1.9.12.06 Persistent Cross-Site Scripting via Admin Templates |
| Akaunting–Akaunting | Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations. | 2025-12-11 | not yet calculated | CVE-2024-58293 | ExploitDB-52030 Vendor Homepage Software Link VulnCheck Advisory: Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields |
| FreePBX–FreePBX | FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the ‘generatedocs’ endpoint by crafting malicious POST requests with bash command injection to establish remote shell access. | 2025-12-11 | not yet calculated | CVE-2024-58294 | ExploitDB-52031 Official Product Homepage Original Video Link VulnCheck Advisory: FreePBX 16 Authenticated Remote Code Execution via API Module |
| elkarte–ElkArte Forum | ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory. | 2025-12-11 | not yet calculated | CVE-2024-58295 | ExploitDB-52026 ElkArte Homepage ElkArte Software Download VulnCheck Advisory: ElkArte Forum 1.1.9 Authenticated Remote Code Execution via Theme Upload |
| PhoenixCart–CE Phoenix | CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page. | 2025-12-11 | not yet calculated | CVE-2024-58296 | ExploitDB-52015 PhoenixCart Homepage CE Phoenix Admin Panel Demo SoftAculous CE Phoenix App Page https://www.vulncheck.com/advisories/ce-phoenix-v-stored-cross-site-scripting-via-currencies-administration |
| Pyrocms–PyroCMS | PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the ‘Redirect From’ field to execute arbitrary JavaScript when administrators view the redirects page. | 2025-12-11 | not yet calculated | CVE-2024-58297 | ExploitDB-52016 PyroCMS Homepage SoftAculous CMS Page VulnCheck Advisory: PyroCMS v3.0.1 Stored Cross-Site Scripting via Admin Redirects |
| BMC Software–Compuware iStrobe Web | Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the ‘fileName’ parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | 2025-12-11 | not yet calculated | CVE-2024-58298 | ExploitDB-51991 BMC Compuware iStrobe Web Homepage BMC Compuware iStrobe Web Support Page https://www.vulncheck.com/advisories/compuware-istrobe-web-pre-auth-remote-code-execution-via-file-upload |
| Siklu–MultiHaul TG series | Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | 2025-12-11 | not yet calculated | CVE-2024-58300 | ExploitDB-51932 Siklu Homepage VulnCheck Advisory: Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure |
| purei–Purei CMS | Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information. | 2025-12-11 | not yet calculated | CVE-2024-58301 | ExploitDB-51929 Purei Homepage VulnCheck Advisory: Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints |
| Flarum–FriendsofFlarum Pretty Mail | FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation. | 2025-12-11 | not yet calculated | CVE-2024-58302 | ExploitDB-51947 Flarum Homepage Pretty Mail GitHub Repository VulnCheck Advisory: FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings |
| Flarum–FriendsofFlarum Pretty Mail | FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation. | 2025-12-11 | not yet calculated | CVE-2024-58303 | ExploitDB-51948 Flarum Homepage Pretty Mail GitHub Repository VulnCheck Advisory: FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings |
| minalic–minaliC | minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption. | 2025-12-11 | not yet calculated | CVE-2024-58306 | ExploitDB-51917 Reference VulnCheck Advisory: minaliC 2.0.0 Denial of Service Vulnerability via Large GET Request |
| cszcms–CSZCMS | CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information. | 2025-12-11 | not yet calculated | CVE-2024-58307 | ExploitDB-51916 CSZCMS Homepage CSZCMS Download Page VulnCheck Advisory: CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint |
| opensolution–Quick.CMS | Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ‘ or ‘1’=’1 to gain unauthorized administrative access to the system. | 2025-12-11 | not yet calculated | CVE-2024-58308 | ExploitDB-51910 Official Product Homepage Software Link VulnCheck Advisory: Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login |
| xbtitfm–xbtitFM | xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database. | 2025-12-11 | not yet calculated | CVE-2024-58309 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php |
| Apc–Network Management Card 4 | APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like /etc/passwd by using encoded path traversal characters in HTTP requests. | 2025-12-11 | not yet calculated | CVE-2024-58310 | ExploitDB-51897 Official Product Homepage VulnCheck Advisory: APC Network Management Card 4 Path Traversal |
| xbtitfm–xbtitFM | xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests. | 2025-12-11 | not yet calculated | CVE-2024-58312 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php |
| xbtitfm–xbtitFM | xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands. | 2025-12-11 | not yet calculated | CVE-2024-58313 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature |
| HYPR–Server | Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing. This issue affects Server: before 10.1. | 2025-12-11 | not yet calculated | CVE-2024-8273 | https://www.hypr.com/trust-center/security-advisories |
| Frappe–Frappe HelpDesk | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe HelpDesk: 1.14.0. | 2025-12-09 | not yet calculated | CVE-2025-10655 | https://fluidattacks.com/advisories/dyango https://github.com/frappe/helpdesk https://github.com/frappe/helpdesk/pull/2795 |
| Unknown–Construction Light | The Construction Light WordPress theme before 1.6.8 does not have authorization and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . | 2025-12-12 | not yet calculated | CVE-2025-10684 | https://wpscan.com/vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/ |
| HP Inc–HP System Event Utility | HP System Event Utility and Omen Gaming Hub might allow execution of certain files outside of their restricted paths. This potential vulnerability was remediated with HP System Event Utility version 3.2.12 and Omen Gaming Hub version 1101.2511.101.0. | 2025-12-09 | not yet calculated | CVE-2025-11531 | https://support.hp.com/us-en/document/ish_13537533-13537555-16/hpsbgn04079 |
| AlgoSec–Firewall Analyzer | Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the sudoers file. This issue affects Firewall Analyzer: A33.0, A33.10. | 2025-12-09 | not yet calculated | CVE-2025-12381 | https://techdocs.algosec.com/en/cves/Content/tech-notes/cves/cve-2025-12381.htm |
| Unknown–HelloLeads CRM Form Shortcode | The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them | 2025-12-14 | not yet calculated | CVE-2025-12696 | https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/ |
| Rockwell Automation–FactoryTalk DataMosaix Private Cloud | A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints. | 2025-12-09 | not yet calculated | CVE-2025-12807 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1765.html |
| Unknown–WooMulti | The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server. | 2025-12-12 | not yet calculated | CVE-2025-12835 | https://wpscan.com/vulnerability/1650ddac-04c7-47fa-b03e-bd0338243fcc/ |
| Unknown–Bookit | The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options. | 2025-12-12 | not yet calculated | CVE-2025-12841 | https://wpscan.com/vulnerability/60cb3d5f-1aa5-4858-ab84-07fe7c023fdd/ |
| waveterm–waveterm | Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2. | 2025-12-12 | not yet calculated | CVE-2025-12843 | https://fluidattacks.com/advisories/minutos https://github.com/wavetermdev/waveterm |
| NETGEAR–C6220 | Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router. | 2025-12-09 | not yet calculated | CVE-2025-12941 | https://www.netgear.com/support/product/c6220/ https://www.netgear.com/support/product/c6230/ https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| NETGEAR–R7000P | A vulnerability in NETGEAR Nighthawk R7000P routers lets an authenticated admin execute OS command injections due to improper input validation. This issue affects R7000P: through 1.3.3.154. | 2025-12-09 | not yet calculated | CVE-2025-12945 | https://www.netgear.com/support/product/r7000p https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| NETGEAR–RS700 | A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router’s WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. This issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36. | 2025-12-09 | not yet calculated | CVE-2025-12946 | https://www.netgear.com/support/product/rs700 https://www.netgear.com/support/product/rax54sv2 https://www.netgear.com/support/product/rax41v2 https://www.netgear.com/support/product/RAX50 https://www.netgear.com/support/product/raxe500 https://www.netgear.com/support/product/rax41 https://www.netgear.com/support/product/rax43 https://www.netgear.com/support/product/rax35v2 https://www.netgear.com/support/product/raxe450 https://www.netgear.com/support/product/rax43v2 https://www.netgear.com/support/product/rax42 https://www.netgear.com/support/product/rax45 https://www.netgear.com/support/product/rax50v2 https://www.netgear.com/support/product/mr90 https://www.netgear.com/support/product/ms90 https://www.netgear.com/support/product/rax42v2 https://www.netgear.com/support/product/rax49s https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| Google Cloud–Dialogflow CX | A privilege escalation vulnerability exists in Google Cloud’s Dialogflow CX. Dialogflow agent developers with Webhook editor permission are able to configure Webhooks using Dialogflow service agent access token authentication. This allows the attacker to escalate their privileges from agent-level to project-level, granting them unauthorized access to manage resources in services associated with the project, leading to unexpected costs and resource depletion for the producer project. A fix was applied on the server side to protect from this vulnerability in February 2025. No customer action is required. | 2025-12-10 | not yet calculated | CVE-2025-12952 | https://docs.cloud.google.com/dialogflow/docs/release-notes#June_12_2025 |
| Unknown–WPeMatico RSS Feed Fetcher | The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | 2025-12-09 | not yet calculated | CVE-2025-13031 | https://wpscan.com/vulnerability/9bf76fed-8f0a-4aef-8cf4-f6839c8f0a53/ |
| ASUSTOR–ADM | When the user set the Notification’s sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42. | 2025-12-12 | not yet calculated | CVE-2025-13052 | https://www.asustor.com/security/security_advisory_detail?id=49 |
| ASUSTOR–ADM | When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42. | 2025-12-12 | not yet calculated | CVE-2025-13053 | https://www.asustor.com/security/security_advisory_detail?id=49 |
| Unknown–CSV to SortTable | The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. | 2025-12-09 | not yet calculated | CVE-2025-13070 | https://wpscan.com/vulnerability/deb52d69-d7f8-43a5-a709-1f543fd343c6/ |
| Unknown–Custom Admin Menu | The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-09 | not yet calculated | CVE-2025-13071 | https://wpscan.com/vulnerability/83c47c58-0395-4224-beaa-2f64ed92ef16/ |
| Unknown–HandL UTM Grabber / Tracker | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-10 | not yet calculated | CVE-2025-13072 | https://wpscan.com/vulnerability/e3795f29-b886-4b92-a7d6-5f5afd7090aa/ |
| Unknown–HandL UTM Grabber / Tracker | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-10 | not yet calculated | CVE-2025-13073 | https://wpscan.com/vulnerability/697fc4be-782c-44cc-840a-774c8ab3ccd8/ |
| Toto Link–X5000R’s (AX1800 router) | Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected. | 2025-12-10 | not yet calculated | CVE-2025-13184 | https://hackingbydoing.wixsite.com/hackingbydoing/post/totolink-x5000r-ax1800-router-authentication-bypass |
| Google Cloud–Google Cloud SecOps SOAR | A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an “IDE role” to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise. No customer action is required. All customers have been automatically upgraded to the fixed version: 6.3.64 or higher. | 2025-12-09 | not yet calculated | CVE-2025-13428 | https://cloud.google.com/support/bulletins#gcp-2025-075 |
| Dr.Buho–BuhoNTFS | BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoNTFS: 1.3.2. | 2025-12-12 | not yet calculated | CVE-2025-13733 | https://fluidattacks.com/advisories/greenday https://www.drbuho.com/buhontfs |
| Docker–Docker Desktop | Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred. | 2025-12-09 | not yet calculated | CVE-2025-13743 | https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#troubleshoot-menu |
| wolfSSL–wolfSSL | Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | 2025-12-11 | not yet calculated | CVE-2025-13912 | https://github.com/wolfSSL/wolfssl/pull/9148 |
| GTT–Sistema de Informacin Tributario | Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method. Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information. Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data. | 2025-12-10 | not yet calculated | CVE-2025-13953 | https://www.incibe.es/en/incibe-cert/notices/aviso/bypass-authentication-method-gtt-sistema-de-informacion-tributario |
| EZCast–EZCast Pro II | Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | 2025-12-10 | not yet calculated | CVE-2025-13954 | https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html |
| EZCast–EZCast Pro II | Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II version 1.17478.146 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers | 2025-12-10 | not yet calculated | CVE-2025-13955 | https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html |
| GitHub–Enterprise Server | An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21. | 2025-12-11 | not yet calculated | CVE-2025-14046 | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16 https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21 |
| Google–Chrome | Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-12-12 | not yet calculated | CVE-2025-14174 | |
| KNIME–KNIME Business Hub | A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions. There is no workaround. | 2025-12-08 | not yet calculated | CVE-2025-14262 | https://www.knime.com/security/advisories#CVE-2025-11239 |
| Robocode Project–Robocode | A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/ | 2025-12-09 | not yet calculated | CVE-2025-14306 | https://github.com/robo-code/robocode/pull/67 |
| Robocode Project–Robocode | An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6. The createTempFile method fails to securely create temporary files, allowing attackers to exploit race conditions and potentially execute arbitrary code or overwrite critical files. This vulnerability can be exploited by manipulating the temporary file creation process, leading to potential unauthorized actions. | 2025-12-09 | not yet calculated | CVE-2025-14307 | https://github.com/robo-code/robocode/pull/68 |
| Robocode Project–Robocode | An integer overflow vulnerability exists in the write method of the Buffer class in Robocode version 1.9.3.6. The method fails to properly validate the length of data being written, allowing attackers to cause an overflow, potentially leading to buffer overflows and arbitrary code execution. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the data length, leading to potential unauthorized code execution. | 2025-12-09 | not yet calculated | CVE-2025-14308 | https://github.com/robo-code/robocode/pull/70 |
| rethinkdb–rethinkdb | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in rethinkdb. This issue affects rethinkdb: before 2.4.4. | 2025-12-09 | not yet calculated | CVE-2025-14310 | https://github.com/rethinkdb/rethinkdb/pull/7163 |
| JMRI–JMRI | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in JMRI. This issue affects JMRI: before 5.13.3. | 2025-12-09 | not yet calculated | CVE-2025-14311 | https://github.com/JMRI/JMRI/pull/14340 |
| Mozilla–Firefox | Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14321 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992760 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14322 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996473 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14323 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996555 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14324 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996840 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14325 | https://bugzilla.mozilla.org/show_bug.cgi?id=1998050 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Use-after-free in the Audio/Video: GMP component. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14326 | https://bugzilla.mozilla.org/show_bug.cgi?id=1840666 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla–Firefox | Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14327 | https://bugzilla.mozilla.org/show_bug.cgi?id=1970743 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla–Firefox | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14328 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996761 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14329 | https://bugzilla.mozilla.org/show_bug.cgi?id=1997018 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14330 | https://bugzilla.mozilla.org/show_bug.cgi?id=1997503 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14331 | https://bugzilla.mozilla.org/show_bug.cgi?id=2000218 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14332 | Memory safety bugs fixed in Firefox 146 and Thunderbird 146 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14333 | Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Google–Chrome | Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-12 | not yet calculated | CVE-2025-14372 | |
| Google–Chrome | Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-12 | not yet calculated | CVE-2025-14373 | |
| Gladinet–CentreStack and TrioFox | Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise. | 2025-12-12 | not yet calculated | CVE-2025-14611 | https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability |
| Google–Android | In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-22420 | https://android.googlesource.com/platform/frameworks/base/+/fb8f76eca9079c34af3e14ee0a58bc10a580ec42 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-22432 | https://android.googlesource.com/platform/packages/services/Telecomm/+/a43a880beaa6a64348a1d0c821e8c7e98d741a79 https://source.android.com/security/bulletin/2025-12-01 |
| TianoCore–EDK2 | EDK2 contains a vulnerability in BIOS where an attacker may cause ” Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability. | 2025-12-09 | not yet calculated | CVE-2025-2296 | https://github.com/tianocore/edk2/security/advisories/GHSA-6pp6-cm5h-86g5 |
| Apache Software Foundation–Apache Fineract | Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-23408 | https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf |
| Apache Software Foundation–Apache HugeGraph-Server | A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-26866 | https://github.com/apache/incubator-hugegraph/pull/2735 https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq |
| Google–Android | In ensureBound of RemotePrintService.java, there is a possible way for a background app to keep foreground permissions due to a permissions bypass. This could lead to local escalation of privilege with user execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32319 | https://android.googlesource.com/platform/frameworks/base/+/70ab82c4546aa893682a4507664dc2c471d6cd95 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32328 | https://android.googlesource.com/platform/frameworks/base/+/e030442861f4dd0e03d67b65f0940b488007f0d7 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32329 | https://android.googlesource.com/platform/frameworks/base/+/e030442861f4dd0e03d67b65f0940b488007f0d7 https://source.android.com/security/bulletin/2025-12-01 |
| Barracuda Networks–RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload. | 2025-12-10 | not yet calculated | CVE-2025-34392 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-absolute-path-traversal-rce https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/ |
| Barracuda Networks–RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an attacker-controlled WSDL service, leading to insecure reflection. This can result in remote code execution through either invocation of arbitrary methods or deserialization of untrusted types. | 2025-12-10 | not yet calculated | CVE-2025-34393 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-insecure-reflection-rce |
| Barracuda Networks–RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution. | 2025-12-10 | not yet calculated | CVE-2025-34394 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce |
| Barracuda Networks–RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service in which an unauthenticated attacker can invoke a method vulnerable to path traversal to read arbitrary files. This vulnerability can be escalated to remote code execution by retrieving the .NET machine keys. | 2025-12-10 | not yet calculated | CVE-2025-34395 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-path-traversal-rce |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAINFY.DLL from its application directo without sufficient integrity validation or secure search order. If the DLL is missing or attacker-writable locations in the search path are used, a local attacker with write permissions to the directory can plant a malicious MEAINFY.DLL. When the executable is launched, it loads the attacker-controlled library and executes code with the privileges of the process, enabling local privilege escalation when run with elevated rights. | 2025-12-09 | not yet calculated | CVE-2025-34396 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meainfy-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Message parameter of /Mobile/Compose.aspx. The Message value is not properly sanitized when processed via a GET request and is reflected into a JavaScript context in the response. By supplying a crafted payload that terminates the existing script block/function, injects attacker-controlled JavaScript, and comments out the remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim opens the crafted reply URL. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34397 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-message-parameter-of-mobile-compose-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrBcc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34398 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressesbcc-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesCc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrCc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34399 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressescc-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesTo value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the response. By supplying a crafted payload that terminates the existing JavaScript function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34400 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressesto-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldBcc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var BCCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser during normal email composition. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34401 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldbcc-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldCc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var CCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34402 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldcc-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var fieldTo. By supplying a crafted payload that terminates the existing Finish() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34403 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldto-parameter-of-addressbook-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var gInstanceScope. By supplying a crafted payload that terminates the existing PageLoad() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34404 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-instancescope-parameter-of-cal-compose-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Id parameter of /Mobile/ContactDetails.aspx. The Id value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the response. By supplying a crafted payload that terminates an existing JavaScript function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim opens a malicious link. Successful exploitation can redirect victims to malicious sites, steal cookies not protected by HttpOnly, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34406 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-id-parameter-of-mobile-contactdetails-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx. The theme value is insufficiently sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of an existing iframe context and inject arbitrary script. A remote attacker can supply a crafted payload that closes the iframe tag, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34407 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-theme-parameter-of-statistics-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Added parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Added value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34408 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-added-parameter-of-mai-addrecipientsresult-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34409 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-failed-parameter-of-mai-addrecipientsresult-aspx |
| LXware–1Panel | 1Panel versions 1.10.33 – 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service. | 2025-12-10 | not yet calculated | CVE-2025-34410 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout |
| DigitalPA S.r.l.–Legality WHISTLEBLOWING | Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. Affected deployments omit Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy (with CSP delivered via HTML meta elements being inadequate). The absence of these headers weakens browser-side defenses and increases exposure to client-side attacks such as cross-site scripting, clickjacking, referer leakage, and cross-origin data disclosure. | 2025-12-09 | not yet calculated | CVE-2025-34413 | https://seclists.org/fulldisclosure/2025/Dec/0 https://www.digitalpa.net/en/whistleblowing-software-features/ https://www.vulncheck.com/advisories/legality-whisteblowing-missing-critical-http-security-headers |
| Entrust Corporation–Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP remoting channel with SOAP and binary formatters configured at TypeFilterLevel=Full and exposes default ObjectURI endpoints. A remote, unauthenticated attacker who can reach the remoting port can invoke the exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2025-12-09 | not yet calculated | CVE-2025-34414 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://www.entrust.com/knowledgebase https://www.vulncheck.com/advisories/entrust-ifi-legacy-remoting-unauthenticated-net-remoting-exposure |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIPO.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIPO.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34416 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaipo-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISO.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISO.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34417 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiso-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIMF.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIMF.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34418 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaimf-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISM.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISM.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34419 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaism-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIAM.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIAM.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34420 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiam-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34421 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaisp-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIPC.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIPC.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34422 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaipc-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIAU.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIAU.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34423 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiau-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIDP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIDP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34424 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaidp-dll |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a <script> context in the JavaScript variable window.location, allowing an attacker to break out of the existing script and inject arbitrary JavaScript. A remote attacker can supply a crafted payload that terminates the existing ProcessContextSwitchResult() function, inserts attacker-controlled script, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link or attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34425 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-windowscontext-parameter-of-mai-compose-aspx |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control. | 2025-12-10 | not yet calculated | CVE-2025-34427 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-tab |
| MailEnable–MailEnable | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control. | 2025-12-10 | not yet calculated | CVE-2025-34428 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-sav |
| LXware–1Panel | 1Panel versions 1.10.33 – 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port. | 2025-12-10 | not yet calculated | CVE-2025-34429 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-web-port-configuration-change |
| LXware–1Panel | 1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent. | 2025-12-10 | not yet calculated | CVE-2025-34430 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-panel-name-modification |
| AnyDesk–AnyDesk | AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions. | 2025-12-11 | not yet calculated | CVE-2025-34499 | ExploitDB-52258 ExploitDB-51968 AnyDesk Homepage AnyDesk Software Link VulnCheck Advisory: AnyDesk 9.0.1 Unquoted Service Path Privilege Escalation Vulnerability |
| kodcloud–KodExplorer | KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the ‘link’ parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication. | 2025-12-11 | not yet calculated | CVE-2025-34504 | ExploitDB-52245 KodExplorer Homepage KodExplorer Release Page VulnCheck Advisory: KodExplorer 4.52 Open Redirect Vulnerability via User Login Endpoint |
| WBCE–WBCE CMS | WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed. | 2025-12-11 | not yet calculated | CVE-2025-34506 | ExploitDB-52132 WBCE CMS Homepage WBCE CMS GitHub Repository YouTube Demonstration Swammers8 GitHub Repository VulnCheck Advisory: WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload |
| SolarEdge–SE3680H | SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands. | 2025-12-12 | not yet calculated | CVE-2025-36743 | https://csirt.divd.nl/CVE-2025-36743 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge–SE3680H | SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits diagnostic output this behavior can leak operating system information. | 2025-12-12 | not yet calculated | CVE-2025-36744 | https://csirt.divd.nl/CVE-2025-36744 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge–SE3680H | SolarEdge SE3680H ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. An attacker with network or local access can exploit these flaws to achieve remote code execution, privilege escalation, or disclosure of sensitive information. | 2025-12-12 | not yet calculated | CVE-2025-36745 | https://csirt.divd.nl/CVE-2025-36745 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge–SolarEdge Monitoring platform (SaaS) | SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt. | 2025-12-12 | not yet calculated | CVE-2025-36746 | https://csirt.divd.nl/CVE-2025-36746 https://csirt.divd.nl/DIVD-2025-00022/ |
| Growatt–ShineLan-X | ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced. | 2025-12-13 | not yet calculated | CVE-2025-36747 | https://csirt.divd.nl/CVE-2025-36747/ |
| Growatt–ShineLan-X | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code. | 2025-12-13 | not yet calculated | CVE-2025-36748 | https://csirt.divd.nl/CVE-2025-36748/ |
| Growatt–ShineLan-X | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code. | 2025-12-13 | not yet calculated | CVE-2025-36750 | https://csirt.divd.nl/CVE-2025-36750/ |
| Growatt–ShineLan-X | Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint. | 2025-12-13 | not yet calculated | CVE-2025-36751 | https://csirt.divd.nl/CVE-2025-36751/ |
| Growatt–ShineLan-X | Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle. | 2025-12-13 | not yet calculated | CVE-2025-36752 | https://csirt.divd.nl/CVE-2025-36752/ |
| Growatt–ShineLan-X | The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device | 2025-12-13 | not yet calculated | CVE-2025-36753 | https://csirt.divd.nl/CVE-2025-36753/ |
| Growatt–ShineLan-X | The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack. | 2025-12-13 | not yet calculated | CVE-2025-36754 | https://csirt.divd.nl/CVE-2025-36754/ |
| CleverDisplay B.V.–BlueOne (CleverDisplay Hardware Player) | The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device’s protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations. | 2025-12-12 | not yet calculated | CVE-2025-36755 | https://csirt.divd.nl/CVE-2025-5743/ https://csirt.divd.nl/DIVD-2025-00043 |
| Google–Android | In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36889 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In cellular modem, there is a possible denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36912 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In PrepareWorkloadBuffers of gxp_main_actor.cc, there is a possible double fetch due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36916 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36917 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In aoc_service_read_message of aoc_ipc_core.c, there is a possible out of bounds read due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36918 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36919 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36921 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In bigo_map of bigo_iommu.c, there is a possible information disclosure due to a use after free. This could lead to local escalation of privilege in the OS Kernel level with System execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36922 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In NrmmDecoder::DecodeSORTransparentContext of cn_NrmmDecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36923 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In ss_DecodeLcsAssistDataReqMsg(void) of ss_LcsManagement.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36924 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36925 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36927 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36928 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36929 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36930 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36931 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In tracepoint_msg_handler of cpm/google/lib/tracepoint/tracepoint_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36932 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In bigo_worker_thread of private/google-modules/video/gchips/bigo.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36934 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36935 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36936 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36937 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google–Android | In U-Boot of append_uint32_le(), there is a possible fault injection due to a logic error in the code. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36938 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a (“xsk: Fix immature cq descriptor production”), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool’s completion queue. skb control block shouldn’t be used for this purpose as after transmit xsk doesn’t have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 […] Call Trace: <IRQ> ? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> […] Kernel panic – not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses. | 2025-12-08 | not yet calculated | CVE-2025-40290 | https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837 https://bugs.debian.org/1118437 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn’t overflow “int”s used later. Rough but simple, can be improved on top. | 2025-12-08 | not yet calculated | CVE-2025-40291 | https://git.kernel.org/stable/c/826ce37a842633efe1bb763e4b13045d74060d72 https://git.kernel.org/stable/c/146eb58629f45f8297e83d69e64d4eea4b28d972 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (“virtio-net: use mtu size as buffer length for big packets”), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver’s get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change. | 2025-12-08 | not yet calculated | CVE-2025-40292 | https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Don’t overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. | 2025-12-08 | not yet calculated | CVE-2025-40293 | https://git.kernel.org/stable/c/07105e61882ff4a7d58db63cc5f9e90c6c60506c https://git.kernel.org/stable/c/4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69 https://git.kernel.org/stable/c/de7f2c67ceb1941b05b04ac35458a03e93cc57b1 https://git.kernel.org/stable/c/dbf316fc90aa954dcd5440817f4b944627ed63e0 https://git.kernel.org/stable/c/cb30dfa75d55eced379a42fd67bd5fb7ec38555e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the ‘length’ variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the ‘value’ array in the mgmt_adv_pattern structure is 31. If the value of ‘pattern[i].length’ is set in the user space and exceeds 31, the ‘patterns[i].value’ array can be accessed out of bound when copied. Increasing the size of the ‘value’ array in the ‘mgmt_adv_pattern’ structure will break the userspace. Considering this, and to avoid OOB access revert the limits for ‘offset’ and ‘length’ back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-08 | not yet calculated | CVE-2025-40294 | https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190 https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7 https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ————[ cut here ]———— [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] <TASK> [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] </TASK> [ 2.697436] —[ end trace ]— This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits] | 2025-12-08 | not yet calculated | CVE-2025-40295 | https://git.kernel.org/stable/c/dde026c5d2a5870f97924d5b512adf2b93fb7153 https://git.kernel.org/stable/c/1e39da974ce621ed874c6d3aaf65ad14848c9f0d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration. | 2025-12-08 | not yet calculated | CVE-2025-40296 | https://git.kernel.org/stable/c/b8113bb56c45bd17bac5144b55591f9cdbd6aabe https://git.kernel.org/stable/c/f0f7a3f542c1698edb69075f25a3f846207facba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port’s state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port’s state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn’t happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it’s being deleted which will stop learning. This fix adds a check for the port’s vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port’s vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be | 2025-12-08 | not yet calculated | CVE-2025-40297 | https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198 https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8 https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference. | 2025-12-08 | not yet calculated | CVE-2025-40298 | https://git.kernel.org/stable/c/c9efb03ff4fae0bc7e5ef3323c3aab599cb4c88a https://git.kernel.org/stable/c/329d050bbe63c2999f657cf2d3855be11a473745 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing. | 2025-12-08 | not yet calculated | CVE-2025-40299 | https://git.kernel.org/stable/c/96ec90412ceb58c73fd3714e40ab2cee1eedac3b https://git.kernel.org/stable/c/6ab753b5d8e521616cd9bd10b09891cbeb7e0235 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data. | 2025-12-08 | not yet calculated | CVE-2025-40301 | https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759 https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9 https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls. | 2025-12-08 | not yet calculated | CVE-2025-40302 | https://git.kernel.org/stable/c/a6a493b985bfffac097a4e1be09f98b27729dca8 https://git.kernel.org/stable/c/e819b34df0a7030a15c968d619fa8a3ed2455c7a https://git.kernel.org/stable/c/27afd6e066cfd80ddbe22a4a11b99174ac89cced |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn’t be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs. | 2025-12-08 | not yet calculated | CVE-2025-40303 | https://git.kernel.org/stable/c/066ee13f05fbd82ada01883e51f0695172f98dff https://git.kernel.org/stable/c/e2b3859067bf012d53c49b3f885fef40624a2c83 https://git.kernel.org/stable/c/54a5b5a15588e3b0b294df31474d08a2678d4291 https://git.kernel.org/stable/c/2618849f31e7cf51fadd4a5242458501a6d5b315 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. | 2025-12-08 | not yet calculated | CVE-2025-40304 | https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702 https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752 https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939 https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn’t set Rworksched and doesn’t do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (“pipe_read: don’t wake up the writer if the pipe is still full”). p9_read_work() does p9_fd_read() -> … -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT. | 2025-12-08 | not yet calculated | CVE-2025-40305 | https://git.kernel.org/stable/c/2e1461034aef99e905a1fe5589aaf00eaea73eee https://git.kernel.org/stable/c/242531004d7de8c159f9bfadebe33fe8060b1046 https://git.kernel.org/stable/c/e8fe3f07a357c39d429e02ca34f740692d88967a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow… Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr “security.capability” every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for “security.capability” resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture. | 2025-12-08 | not yet calculated | CVE-2025-40306 | https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931 https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126 https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021 https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use. | 2025-12-08 | not yet calculated | CVE-2025-40307 | https://git.kernel.org/stable/c/6bc58b4c53795ab5fe00648344aa7d9d61175f90 https://git.kernel.org/stable/c/13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf https://git.kernel.org/stable/c/79c1587b6cda74deb0c86fc7ba194b92958c793c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. | 2025-12-08 | not yet calculated | CVE-2025-40308 | https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671 https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334 https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s —truncated— | 2025-12-08 | not yet calculated | CVE-2025-40309 | https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23 https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718 https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0 https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425 https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 </IRQ> common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1 | 2025-12-08 | not yet calculated | CVE-2025-40310 | https://git.kernel.org/stable/c/93f8d67ef8b50334a26129df4da5a4cb60ad4090 https://git.kernel.org/stable/c/bc9e789053abe463f8cf74eee5fc2f157c11a79f https://git.kernel.org/stable/c/2f89a2d15550b653caaeeab7ab68c4d7583fd4fe https://git.kernel.org/stable/c/99d7181bca34e96fbf61bdb6844918bdd4df2814 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace. | 2025-12-08 | not yet calculated | CVE-2025-40311 | https://git.kernel.org/stable/c/7ec8ac9f73d4a9438c2186768d6de27ace37531e https://git.kernel.org/stable/c/d1dfe21a332d38a6a09658ec29a55940afb5fe36 https://git.kernel.org/stable/c/73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9 https://git.kernel.org/stable/c/513024d5a0e34fd34247043f1876b6138ca52847 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (“isofs: Verify inode mode when loading from disk”) does. | 2025-12-08 | not yet calculated | CVE-2025-40312 | https://git.kernel.org/stable/c/19cce65709a8a2966203653028d9004e28e85bd5 https://git.kernel.org/stable/c/fabc1348bb8fe6bc80850014ee94bd89945f7f4d https://git.kernel.org/stable/c/46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f https://git.kernel.org/stable/c/2870a7dec49ccdc3f6ae35da8f5d6737f21133a8 https://git.kernel.org/stable/c/ce054a366c54992185c9514e489a14f145b10c29 https://git.kernel.org/stable/c/1795277a4e98d82e6451544d43695540cee042ea https://git.kernel.org/stable/c/8d6a9cbd276b3b85da0e7e98208f89416fed9265 https://git.kernel.org/stable/c/7a5aa54fba2bd591b22b9b624e6baa9037276986 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (“vfs: catch invalid modes in may_open()”) requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records. | 2025-12-08 | not yet calculated | CVE-2025-40313 | https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921 https://git.kernel.org/stable/c/17249b2a65274f73ed68bcd1604e08a60fd8a278 https://git.kernel.org/stable/c/37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 https://git.kernel.org/stable/c/57534db1bbc4ca772393bb7d92e69d5e7b9051cf https://git.kernel.org/stable/c/4e8011ffec79717e5fdac43a7e79faf811a384b7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct “del” and “put” steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(“usb: dwc3: gadget: Free gadget structure only after freeing endpoints”). | 2025-12-08 | not yet calculated | CVE-2025-40314 | https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1 https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9 https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77 https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues | 2025-12-08 | not yet calculated | CVE-2025-40315 | https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195 https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6 https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019 https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (“drm/mediatek: Fix kobject put for component sub-drivers”). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2025-12-08 | not yet calculated | CVE-2025-40316 | https://git.kernel.org/stable/c/a5a896f8315de358a2932e2c23c42d550256046a https://git.kernel.org/stable/c/0142fe895986addf35885b43440718e567121155 https://git.kernel.org/stable/c/8ba827e09eb586e952d10e39406fa02d10bb591e https://git.kernel.org/stable/c/926d002e6d7e2f1fd5c1b53cf6208153ee7d380d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (“ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()”) revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 … CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) … Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just “slimbus” (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two “Fixes” tags. While at this, also correct the same argument in __regmap_init_slimbus(). | 2025-12-08 | not yet calculated | CVE-2025-40317 | https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433 https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7 https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and “UAF”. Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently. | 2025-12-08 | not yet calculated | CVE-2025-40318 | https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213 https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389 https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553 https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer. | 2025-12-08 | not yet calculated | CVE-2025-40319 | https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72 https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11 https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6 https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6 https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn’t reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 […] RIP: 0010:refcount_warn_saturate+0x9c/0x110 […] Call Trace: <TASK> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80 | 2025-12-08 | not yet calculated | CVE-2025-40320 | https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806 https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the “actframe” IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 […] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) […] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for “send_af_done” from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable] | 2025-12-08 | not yet calculated | CVE-2025-40321 | https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25 https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4 https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45 https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font’s glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. | 2025-12-08 | not yet calculated | CVE-2025-40322 | https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545 https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1 https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620 https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx … Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here’s an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1’s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1’s modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL. | 2025-12-08 | not yet calculated | CVE-2025-40323 | https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. | 2025-12-08 | not yet calculated | CVE-2025-40324 | https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1 https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8 https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89 https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won’t send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is “invalid”, NFSD will return nfserr_inval, failing the request entirely. | 2025-12-08 | not yet calculated | CVE-2025-40326 | https://git.kernel.org/stable/c/d8f3f94dc950e7c62c96af432c26745885b0a18a https://git.kernel.org/stable/c/4f76435fd517981f01608678c06ad9718a86ee98 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (“perf: Fix the POLL_HUP delivery breakage”) causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that’s a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ] | 2025-12-09 | not yet calculated | CVE-2025-40327 | https://git.kernel.org/stable/c/6b8c512811644cf2f5eaf6f44e928683c54127f0 https://git.kernel.org/stable/c/eb3182ef0405ff2f6668fd3e5ff9883f60ce8801 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap. | 2025-12-09 | not yet calculated | CVE-2025-40328 | https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6 https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427 https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5 https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] —- —- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] <Interrupt> [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don’t disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits] | 2025-12-09 | not yet calculated | CVE-2025-40329 | https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9 https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01 https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA. | 2025-12-09 | not yet calculated | CVE-2025-40330 | https://git.kernel.org/stable/c/1a8a15c3f71d1199d510ccba4bc201cbd2204048 https://git.kernel.org/stable/c/bc7208ca805ae6062f353a4753467d913d963bc6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use). | 2025-12-09 | not yet calculated | CVE-2025-40331 | https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3 https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85 https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677 https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196 https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug. | 2025-12-09 | not yet calculated | CVE-2025-40332 | https://git.kernel.org/stable/c/e2105ba1c262dcaa9573f11844b6e1e1ca762c3f https://git.kernel.org/stable/c/f7569ef1cf978aa87aa81b5e9bf40a77497f3685 https://git.kernel.org/stable/c/7574f30337e19045f03126b4c51f525b84e5049e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case. | 2025-12-09 | not yet calculated | CVE-2025-40333 | https://git.kernel.org/stable/c/765f8816d3959ef1f3f7f85e2af748594d091f40 https://git.kernel.org/stable/c/c0b9951bb2668d67eb4817bb23fc109abc08c075 https://git.kernel.org/stable/c/f4c31adcb2a0556f43776d4e51a67de88d7fb9ee https://git.kernel.org/stable/c/23361bd54966b437e1ed3eb1a704572f4b279e58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping. | 2025-12-09 | not yet calculated | CVE-2025-40334 | https://git.kernel.org/stable/c/5a577de86c4a1c67ca405571d6ef84e65c6897d1 https://git.kernel.org/stable/c/9e46b8bb0539d7bc9a9e7b3072fa4f6082490392 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place. | 2025-12-09 | not yet calculated | CVE-2025-40335 | https://git.kernel.org/stable/c/bdaa7ad3a5bb606d7dbd5c8627dc7efcb2392eb9 https://git.kernel.org/stable/c/219be4711a1ba788bc2a9fafc117139d133e5fea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: – Add kernel-doc (Matt B) – s/fls/ilog2/ (Thomas) | 2025-12-09 | not yet calculated | CVE-2025-40336 | https://git.kernel.org/stable/c/08e9fd78ba1b9e95141181c69cc51795c9888157 https://git.kernel.org/stable/c/c50729c68aaf93611c855752b00e49ce1fdd1558 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel’s network stack will perform its own validation and properly handle the corrupt packet. | 2025-12-09 | not yet calculated | CVE-2025-40337 | https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683 https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing ‘name’ directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations – since commit cee28113db17 (“ASoC: dmaengine_pcm: Allow passing component name via config”) the framework does not override component->name if set before invoking the initializer. | 2025-12-09 | not yet calculated | CVE-2025-40338 | https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86 https://git.kernel.org/stable/c/4dee5c1cc439b0d5ef87f741518268ad6a95b23d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved. | 2025-12-09 | not yet calculated | CVE-2025-40339 | https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3 https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in “mem_type_is_vram(tbo->resource->mem_type)” because tbo->resource is NULL. It’s convoluted, but fits the data and explains the oops after the test exits. | 2025-12-09 | not yet calculated | CVE-2025-40340 | https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665 https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: futex: Don’t leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task’s robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task’s exec state remains stable during the check, allowing for consistent and synchronized validation of credentials. | 2025-12-09 | not yet calculated | CVE-2025-40341 | https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237 https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998 https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport. | 2025-12-09 | not yet calculated | CVE-2025-40342 | https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5 https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800 https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446 https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0 https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55 https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. | 2025-12-09 | not yet calculated | CVE-2025-40343 | https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570 https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40 https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI’s private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors. | 2025-12-09 | not yet calculated | CVE-2025-40344 | https://git.kernel.org/stable/c/ca6d2b7aca778afbf8c0c4b330d10cb228c14052 https://git.kernel.org/stable/c/b41fca4aa60be896ba8a81b57aac5dcc6eee66c0 https://git.kernel.org/stable/c/845f716dc5f354c719f6fda35048b6c2eca99331 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin – Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries. | 2025-12-12 | not yet calculated | CVE-2025-40345 | https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490 https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092 https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869 https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432 https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6 https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1 |
| CronosWeb i2A–CronosWeb | Direct Object Reference Vulnerability (IDOR) in i2A’s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users’ documents by manipulating the ‘documentCode’ parameter in ‘/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas’. | 2025-12-10 | not yet calculated | CVE-2025-41358 | https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a |
| CIRCL–Vulnerability-Lookup | In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity. This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42615 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0033 |
| CIRCL–Vulnerability-Lookup | Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness. The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42616 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0034 |
| CIRCL–Vulnerability-Lookup | In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html). This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42620 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0035 |
| Apple–macOS | The issue was addressed by adding additional logic. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. | 2025-12-12 | not yet calculated | CVE-2025-43320 | https://support.apple.com/en-us/125887 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43351 | https://support.apple.com/en-us/125634 |
| Apple–macOS | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43381 | https://support.apple.com/en-us/125634 |
| Apple–macOS | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43388 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | 2025-12-12 | not yet calculated | CVE-2025-43393 | https://support.apple.com/en-us/125634 |
| Apple–macOS | The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.1. An app may be able to cause unexpected system termination or corrupt process memory. | 2025-12-12 | not yet calculated | CVE-2025-43402 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43404 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43406 | https://support.apple.com/en-us/125634 |
| Apple–macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2. An attacker with physical access may be able to view deleted notes. | 2025-12-12 | not yet calculated | CVE-2025-43410 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125635 |
| Apple–macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43416 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–iOS and iPadOS | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in iOS 26.1 and iPadOS 26.1. An app may be able to fingerprint the user. | 2025-12-12 | not yet calculated | CVE-2025-43437 | https://support.apple.com/en-us/125632 |
| Apple–macOS | This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43461 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8.3, macOS Tahoe 26.1, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43463 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125887 |
| Apple–macOS | A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.1. Visiting a website may lead to an app denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43464 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43465 | https://support.apple.com/en-us/125634 |
| Apple–macOS | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43466 | https://support.apple.com/en-us/125634 |
| Apple–macOS | This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-43467 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. A standard user may be able to view files made from a disk image belonging to an administrator. | 2025-12-12 | not yet calculated | CVE-2025-43470 | https://support.apple.com/en-us/125634 |
| Apple–macOS | The issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43471 | https://support.apple.com/en-us/125634 |
| Apple–macOS | This issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43473 | https://support.apple.com/en-us/125634 |
| Apple–macOS | The issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to cause a denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43482 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A mail header parsing issue was addressed with improved checks. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. An attacker may be able to cause a persistent denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43494 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple–macOS | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | 2025-12-12 | not yet calculated | CVE-2025-43497 | https://support.apple.com/en-us/125634 |
| Apple–macOS | A logic error was addressed with improved error handling. This issue is fixed in macOS Tahoe 26.1. iCloud Private Relay may not activate when more than one user is logged in at the same time. | 2025-12-12 | not yet calculated | CVE-2025-43506 | https://support.apple.com/en-us/125634 |
| Apple–macOS | This issue was addressed with improved data protection. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43509 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A memory corruption issue was addressed with improved lock state checking. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. A malicious application may cause unexpected changes in memory shared between processes. | 2025-12-12 | not yet calculated | CVE-2025-43510 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125637 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple–iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-12 | not yet calculated | CVE-2025-43511 | https://support.apple.com/en-us/125633 |
| Apple–macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to elevate privileges. | 2025-12-12 | not yet calculated | CVE-2025-43512 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to read sensitive location information. | 2025-12-12 | not yet calculated | CVE-2025-43513 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A session management issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. A user with Voice Control enabled may be able to transcribe another user’s activity. | 2025-12-12 | not yet calculated | CVE-2025-43516 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43517 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API. | 2025-12-12 | not yet calculated | CVE-2025-43518 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43519 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. A malicious application may be able to cause unexpected system termination or write kernel memory. | 2025-12-12 | not yet calculated | CVE-2025-43520 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125637 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple–macOS | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43521 | https://support.apple.com/en-us/125887 |
| Apple–macOS | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access user-sensitive data. | 2025-12-12 | not yet calculated | CVE-2025-43522 | https://support.apple.com/en-us/125887 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43523 | https://support.apple.com/en-us/125887 |
| Apple–macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-43527 | https://support.apple.com/en-us/125887 |
| Apple–macOS | This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43530 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A memory corruption issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. Processing malicious data may lead to unexpected app termination. | 2025-12-12 | not yet calculated | CVE-2025-43532 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sonoma 14.8.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43538 | https://support.apple.com/en-us/125888 |
| Apple–macOS | The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. Processing a file may lead to memory corruption. | 2025-12-12 | not yet calculated | CVE-2025-43539 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | This issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.3. Password fields may be unintentionally revealed when remotely controlling a device over FaceTime. | 2025-12-12 | not yet calculated | CVE-2025-43542 | https://support.apple.com/en-us/125887 |
| Apple–macOS | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-46276 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | An integer overflow was addressed by adopting 64-bit timestamps. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-46285 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An attacker may be able to spoof their FaceTime caller ID. | 2025-12-12 | not yet calculated | CVE-2025-46287 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple–macOS | A logic issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-46289 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Google–Android | In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48525 | https://android.googlesource.com/platform/frameworks/base/+/31989869759e9b6119dc1cf324c395d789024908 https://android.googlesource.com/platform/frameworks/base/+/5ec1cdae1805dec292a2de5554896363eaa078eb https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48536 | https://android.googlesource.com/platform/packages/apps/Settings/+/586f8dedd8e0e8a7ca5577cd1f06891f7e84e1e1 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48555 | https://android.googlesource.com/platform/packages/apps/Settings/+/596c7b9911f2004df83b8d2708ad4b50e8d53805 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible intent filter bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48564 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way to bypass the cross profile intent filter due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48565 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48566 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48569 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google–Android | In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48572 | https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48573 | https://android.googlesource.com/platform/frameworks/base/+/039030a6b0e7d255af70609a3607e805ad2a99ff https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48575 | https://android.googlesource.com/platform/packages/apps/CertInstaller/+/d688ebdbfd404df1e25654bfdf9e790ad9f0db3c https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In updateNotificationChannelGroupFromPrivilegedListener of NotificationManagerService.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48576 | https://android.googlesource.com/platform/frameworks/base/+/b812baa1463c9f9e81efa617c9d08ed7a63488b4 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48580 | https://android.googlesource.com/platform/frameworks/base/+/eb19b27ed8abe9070df9fb85bc9693c8d4ba321b https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48583 | https://android.googlesource.com/platform/frameworks/base/+/02751bc65824a3877bdc21d865cd801b5e9f5e6c https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48584 | https://android.googlesource.com/platform/frameworks/base/+/08a0766708db2071d9b8b65abf40d7e8057daaa1 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In onActivityResult of EditFdnContactScreen.java, there is a possible way to leak contacts from the work profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48586 | https://android.googlesource.com/platform/packages/services/Telephony/+/851fc787e96189a37f88cb9eaa688087883357c3 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48588 | https://android.googlesource.com/platform/frameworks/base/+/cabbb7da639520633ad318655d1b5fe1c685c78e https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48589 | https://android.googlesource.com/platform/frameworks/base/+/2aeba76a58c18f66502ecbba4c2e73a8d6e2928c https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48590 | https://android.googlesource.com/platform/frameworks/base/+/848f944921756467dba98069ea33531a2f180373 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48591 | https://android.googlesource.com/platform/frameworks/base/+/3df02a7df8488e04e31ae1d9d081ed1b881dd6ad https://android.googlesource.com/platform/packages/services/Mms/+/43ca1053f0a09b6fd1503caaecb62967a497b554 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48592 | https://android.googlesource.com/platform/frameworks/av/+/8febdebcb5e8736ec013a7d64e70f50e87649b52 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48594 | https://android.googlesource.com/platform/frameworks/base/+/ea2bcc66534263fac4c337f1a5149704c2262169 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48596 | https://android.googlesource.com/platform/frameworks/native/+/6ffdde944d4e0b440b1dfc1f232687299700e039 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48597 | https://android.googlesource.com/platform/frameworks/base/+/68170bad52250399d2e4a1a8023a3e7aeda1887d https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way to alter the primary user’s face unlock settings due to a confused deputy. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48598 | https://android.googlesource.com/platform/packages/apps/Settings/+/83447688f8e3e8f009f1e7d275a14ea00ee7953a https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48599 | https://android.googlesource.com/platform/packages/apps/Settings/+/7a792e0b8f68bc4aeb939af703790fd76b51ccbd https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48600 | https://android.googlesource.com/platform/packages/modules/IntentResolver/+/bbe2dc3fb85fac9053b427b6d3c4af3506e0d9b4 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible permanent denial of service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48601 | https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In InputMethodInfo of InputMethodInfo.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48603 | https://android.googlesource.com/platform/frameworks/base/+/b4c6786312a217ad9dfd97041b2f1e2f77e39b94 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48604 | https://android.googlesource.com/platform/packages/services/Mms/+/c60a828b9fa18f67260775a46c752f353fcc0d43 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48606 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google–Android | In multiple locations, there is a possible way to create a large amount of app ops due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48607 | https://android.googlesource.com/platform/frameworks/base/+/03d7040699148c961df09dec301d8a1e982ee231 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48608 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google–Android | In __pkvm_guest_relinquish_to_host of mem_protect.c, there is a possible configuration data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48610 | https://android.googlesource.com/kernel/common/+/19fbea31785113700731f4b458d7e20d05777729 https://android.googlesource.com/kernel/common/+/cac44a0bcfc58c85082b13220b4adcac43ccf369 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations, there is a possible way for an application on a work profile to set the main user’s default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48612 | https://android.googlesource.com/platform/packages/apps/Settings/+/aa744e8988f0e7b77a71087edd4d2546b58d2f24 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check. This could lead to physical denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48614 | https://android.googlesource.com/platform/frameworks/base/+/ec0c32ea736ba3c594352c345358a778334bc773 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48615 | https://android.googlesource.com/platform/frameworks/base/+/a5795fc0cf1f21da88cf05ad06610d3653d1be0e https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In processLaunchBrowser of CommandParamsFactory.java, there is a possible browser interaction from the lockscreen due to improper locking. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48618 | https://android.googlesource.com/platform/frameworks/opt/telephony/+/fee68bcdcf029e8f40980616d09367610544bc62 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third party application’s component name to persist even after uninstalling due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48620 | https://android.googlesource.com/platform/frameworks/base/+/db86972777c84a386d8a6d2d34879923bdbccdf6 https://android.googlesource.com/platform/frameworks/base/+/84dd2b90f4a2ea1ebc5b78f08f14c5a3b92c9c2d https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In DefaultTransitionHandler.java, there is a possible way to enable a tapjacking attack due to a insecure default. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48621 | https://android.googlesource.com/platform/frameworks/native/+/cc34c7b416b964c05a42ae3e9c2929b59b92c64f https://android.googlesource.com/platform/frameworks/base/+/6d1697c96c5cae5062f6aea58cf2665b7d646cb8 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In ProcessArea of dng_misc_opcodes.cpp, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48622 | https://android.googlesource.com/platform/external/skia/+/40c3f0a50fb9b47f543be0949f9004e77510f494 https://android.googlesource.com/platform/external/dng_sdk/+/de700ad461e35af50b28b861943a0b0753b10929 https://android.googlesource.com/platform/cts/+/1bcf948f5e555ad7b9b54549698c3e569d7a0af5 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48623 | https://android.googlesource.com/kernel/common/+/3b6fab0ff24f7108c71a4d9c12567455cb2a5a81 https://android.googlesource.com/kernel/common/+/e76cff4952af4ac4652dc74ffbd134ff57c47895 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48624 | https://android.googlesource.com/kernel/common/+/0668e45a43398a07c3aa2ae08903097657efd87e https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48625 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google–Android | In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48626 | https://android.googlesource.com/platform/packages/apps/Launcher3/+/7628af9bf77f1d145359bf4075a6674574cae496 https://android.googlesource.com/platform/frameworks/base/+/9fb37191609f7cb7b2374531cafb2d00ec8b4bec https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48627 | https://android.googlesource.com/platform/frameworks/base/+/d34ae40f870d4362a069940a035a4d58a536a231 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48628 | https://android.googlesource.com/platform/frameworks/base/+/9489a5dcd3cdd426d5b39d9caf6bb78142af2399 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48629 | https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48631 | https://android.googlesource.com/platform/frameworks/base/+/d6df825fda3aa29cff7af05357005322152210fd https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48632 | https://android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48633 | https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48637 | https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20 https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48638 | https://android.googlesource.com/kernel/common/+/0429b7af308cf65c84109c08d06b01950dcd57fe https://android.googlesource.com/kernel/common/+/96ebe96170d67df5072afa2ce84622f5a0ff552a https://source.android.com/security/bulletin/2025-12-01 |
| Google–Android | In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48639 | https://android.googlesource.com/platform/frameworks/native/+/cc34c7b416b964c05a42ae3e9c2929b59b92c64f https://android.googlesource.com/platform/frameworks/base/+/6d1697c96c5cae5062f6aea58cf2665b7d646cb8 https://source.android.com/security/bulletin/2025-12-01 |
| Alex Furr–PDF Creator Lite | Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS. This issue affects PDF Creator Lite: from n/a through <= 1.2. | 2025-12-09 | not yet calculated | CVE-2025-49341 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-creator-lite/vulnerability/wordpress-pdf-creator-lite-plugin-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jupitercow–WP sIFR | Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS. This issue affects WP sIFR: from n/a through <= 0.6.8.1. | 2025-12-09 | not yet calculated | CVE-2025-49347 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-sifr/vulnerability/wordpress-wp-sifr-plugin-0-6-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Hype–Hype | Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hype: from n/a through <= 1.0.5. | 2025-12-09 | not yet calculated | CVE-2025-49348 | https://vdp.patchstack.com/database/Wordpress/Plugin/pico/vulnerability/wordpress-hype-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| marcoingraiti–Actionwear products sync | Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Actionwear products sync: from n/a through <= 2.3.3. | 2025-12-09 | not yet calculated | CVE-2025-49350 | https://vdp.patchstack.com/database/Wordpress/Plugin/actionwear-products-sync/vulnerability/wordpress-actionwear-products-sync-plugin-2-3-3-broken-access-control-vulnerability?_s_id=cve |
| Valentin Agachi–Create Posts & Terms | Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS. This issue affects Create Posts & Terms: from n/a through <= 1.3.1. | 2025-12-09 | not yet calculated | CVE-2025-49351 | https://vdp.patchstack.com/database/Wordpress/Plugin/create-posts-terms/vulnerability/wordpress-create-posts-terms-plugin-1-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| n/a–PagerDuty Runbook | PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from “password” to “text” using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page. | 2025-12-10 | not yet calculated | CVE-2025-52493 | https://www.praetorian.com https://www.pagerduty.com/security/disclosure/ https://www.pagerduty.com/platform/automation/ https://github.com/carterross2/Vulnerability-Research/tree/main/CVE-2025-52493 |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it. | 2025-12-12 | not yet calculated | CVE-2025-53523 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Apache Software Foundation–Apache StreamPark | When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-53960 | https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy |
| node-saml–node-saml | Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0. | 2025-12-12 | not yet calculated | CVE-2025-54369 | https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7 https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10 https://github.com/node-saml/node-saml/releases/tag/v5.1.0 |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-54407 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Canonical–apport | It was discovered that process_crash() in data/apport in Canonical’s Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups. | 2025-12-10 | not yet calculated | CVE-2025-5467 | https://www.stratascale.com/resource/cve-2025-32462-ubuntu-apport-vulnerability/ https://bugs.launchpad.net/apport/+bug/2106338 |
| Yandex–Messenger | Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking. This issue affects Telemost: before 2.245 | 2025-12-09 | not yet calculated | CVE-2025-5469 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Yandex–Disk | Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking. This issue affects Disk: before 3.2.45.3275. | 2025-12-09 | not yet calculated | CVE-2025-5470 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Yandex–Telemost | Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking. This issue affects Telemost: before 2.19.1. | 2025-12-09 | not yet calculated | CVE-2025-5471 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Apache Software Foundation–Apache StreamPark | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-54947 | https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 |
| Apache Software Foundation–Apache StreamPark | Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-54981 | https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998 |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. Opening a malicious PDF containing a crafted JavaScript call to search.query() with a crafted cDIPath parameter (e.g., “/”) may cause an out-of-bounds read in internal path-parsing logic, potentially leading to information disclosure or memory corruption. | 2025-12-11 | not yet calculated | CVE-2025-55307 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. A crafted PDF containing JavaScript that calls closeDoc() while internal objects are still in use can cause premature release of these objects. This use-after-free vulnerability may lead to memory corruption, potentially resulting in information disclosure when the PDF is opened. | 2025-12-11 | not yet calculated | CVE-2025-55308 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can contain JavaScript that attaches an OnBlur action on a form field that destroys an annotation. During user right-click interaction, the program’s internal focus change handling prematurely releases the annotation object, resulting in a use-after-free vulnerability that may cause memory corruption or application crashes. | 2025-12-11 | not yet calculated | CVE-2025-55309 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. An attacker able to alter or replace the static HTML files used by the StartPage feature can cause the application to load malicious or compromised content upon startup. This may result in information disclosure, unauthorized data access, or other security impacts. | 2025-12-11 | not yet calculated | CVE-2025-55310 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file’s modification status via JavaScript interfaces. This circumvents digital signature verification by hiding document modifications, allowing an attacker to mislead users about the document’s integrity and compromise the trustworthiness of signed PDFs. | 2025-12-11 | not yet calculated | CVE-2025-55311 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal states. Subsequent annotation management operations assume these states are valid, causing dereference of invalid or released memory. This can lead to memory corruption, application crashes, and potentially allow an attacker to execute arbitrary code. | 2025-12-11 | not yet calculated | CVE-2025-55312 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. They allow potential arbitrary code execution when processing crafted PDF files. The vulnerability stems from insufficient handling of memory allocation failures after assigning an extremely large value to a form field’s charLimit property via JavaScript. This can result in memory corruption and may allow an attacker to execute arbitrary code by persuading a user to open a malicious file. | 2025-12-11 | not yet calculated | CVE-2025-55313 | https://www.foxit.com/support/security-bulletins.html |
| n/a–Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal states. Subsequent annotation management operations assume these states are valid, causing dereference of invalid or released memory. This can lead to memory corruption, application crashes, and potentially allow an attacker to execute arbitrary code. | 2025-12-11 | not yet calculated | CVE-2025-55314 | https://www.foxit.com/support/security-bulletins.html |
| n/a–HotelDruid v3.0.7 and before | HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file. | 2025-12-11 | not yet calculated | CVE-2025-55816 | https://www.hoteldruid.com/en/ https://www.partywave.site/show/research/cve-2025-55816-xss-and-raptx |
| n/a–Ruijie RG-RAP2200(E) 247 2200 | OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56077 | https://1drv.ms/t/c/12406a392c92914b/EURTWAoIJNRMtvzNPi08CToB780nsKPNHZ2Fdmcf9xsoRA?e=jHygdj https://1drv.ms/f/c/12406a392c92914b/EvnzTspA23NAl-T9w70dG4MBnWWojsrzAeM1i-ed2EauAA?e=AYOxPM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56077.md |
| n/a–Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56079 | https://1drv.ms/t/c/12406a392c92914b/EZdYNxRd8ilMrCRXLnltUKEBiBXJzrTc9i7Y643cuho9PA?e=7Bifxw https://1drv.ms/f/c/12406a392c92914b/EjGDN1e4xfZOhROI3hzjKr0Bb9TVCN03MAR_VK56P8V3Ug?e=NmUXvt https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56079.md |
| n/a–Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56082 | https://1drv.ms/t/c/12406a392c92914b/EfCFw0RRV0hJvpV0rBLvTvABtWGVbrHzIPwPyku7phQ3Dg?e=GMqLpV https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56082.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge.lua. | 2025-12-11 | not yet calculated | CVE-2025-56083 | https://1drv.ms/t/c/12406a392c92914b/EciYj-O9Oi1PgNsZdTao0iwBub3gdfqA3safE0A4I9foYg?e=Mi39JB https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56083.md |
| n/a–Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56084 | https://1drv.ms/t/c/12406a392c92914b/EdfdfnvOxAhJqdeIGlRRo6ABHJz03PPPBYIMdLoD6iNhlg?e=qNhi6o https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56084.md |
| n/a–Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56085 | https://1drv.ms/t/c/12406a392c92914b/ERuoK3MLW2RLpQ6qOoGs5wIB73tNnsDzRT8U6U6z4VmskQ?e=KIjaOa https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56085.md |
| n/a–Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56086 | https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK https://1drv.ms/t/c/12406a392c92914b/ETgTxS2wFBlCjG4DP56-PjkBWwvraLHZ-BVaWh9Vs9_SuA?e=aTbjEe https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56086.md |
| n/a–Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. | 2025-12-11 | not yet calculated | CVE-2025-56087 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/Echt6Ult6oNBv8c0GnssJeEBmbJbPx8enDixRCuyiWcKsw?e=2zJ5I2 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56087.md |
| n/a–Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua. | 2025-12-11 | not yet calculated | CVE-2025-56088 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EQ5pK82-KmxKht6YgsEzaOsBzrC05Cael1vwpfM9ZxX97Q?e=qEgmtB https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56088.md |
| n/a–Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56089 | https://1drv.ms/t/c/12406a392c92914b/Ea56irtVj4dNs59Pzz7fkiIBQeVLjDcMDEXC2FpCQydIZQ?e=70gcOe https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56089.md |
| n/a–Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56090 | https://1drv.ms/t/c/12406a392c92914b/EfSHWqE3N11FpgQsV1BlZk0BxXIhFQjIp_xmJYIq1APvrw?e=JCIm6k https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56090.md |
| n/a–Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56091 | https://1drv.ms/t/c/12406a392c92914b/EdiWfxSbC0pAu_oksKjm2xgBXSCavYBBJt8V51JkcH4Dsw?e=OhOVCN https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md |
| n/a–Ruijie X30 PRO V1 X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56092 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EaD98URfTfFKm1v_MTfU-UEBUxRf5vj3O0x7fhabn5_l9A?e=BuNPV9 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua. | 2025-12-11 | not yet calculated | CVE-2025-56093 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Edoz9sBTjeJMqw8K0f3lWgMBNxBlpE9IIUwOX2h2S1cMhw?e=46VlOq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56092.md https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56093.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay.lua. | 2025-12-11 | not yet calculated | CVE-2025-56094 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EX8LVTGd3L9OrXvTuHDFITQBnWL-5C-CINxUmowR7vCVig?e=Quevaq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56094.md |
| n/a–Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56095 | https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://1drv.ms/t/c/12406a392c92914b/EQgGsVREbAJEv4dCG7LAzoYBUiS4nCjWKun_QhenDHzU0Q?e=Ly0lll https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56095.md |
| n/a–Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56096 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/EQ8FKwFLNjBLlL9hyg_YkUoBdsj_FcNtQsjdmKQ5M4-10A?e=bFC7Jg https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56096.md |
| n/a–Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56097 | https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://1drv.ms/t/c/12406a392c92914b/EeVJ2woYmHVHn_C0Sy_iRZsB4yZQFJDXSBOwMSZW0KXJrQ?e=VVGxWb https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56097.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56098 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EYC9-EvSxKZOum9kuAtPDq4BjKb0c8IV6B52lDEAD33pEA?e=2C0BKO https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56098.md |
| n/a–Ruijie RG-YST AP_3.0(1)B11P280YST250F | OS Command Injection vulnerability in Ruijie RG-YST AP_3.0(1)B11P280YST250F allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56099 | https://1drv.ms/t/c/12406a392c92914b/ETaD7apCrPFLtMj473NHV2gBaYrKV9A4ZZKMfyWgC949Zw?e=iyjx5g https://1drv.ms/f/c/12406a392c92914b/EjgEtJ5yojhDpEoT-PbidhsBzsbVnT-D-32qK1bCrQN3-g?e=cVRYgN https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56099.md |
| n/a–Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56101 | https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md |
| n/a–Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56102 | https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://1drv.ms/t/c/12406a392c92914b/EXNcf0lLKjZLv6U4-ErArMkBKqwLJhJbiJwuQl5MSd0W3w?e=GfXnnz https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56102.md |
| n/a–Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56106 | https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://1drv.ms/t/c/12406a392c92914b/EcUP8SMciOVBgNEy31-OnnkBQRk_fUCDWUtdDX8UBfbXEA?e=FuQDPi https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56106.md |
| n/a–Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua. | 2025-12-11 | not yet calculated | CVE-2025-56107 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/ESr3_xpg5ZxFkRAKG7hiGVcBF3Cw_52dWpSvUOtgx3hPhw?e=c5RTxg https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56107.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56108 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Ecib6–fxv9HhrfAdhmP5R4BOPDcTcqTOBt0hQBEx5BTxA?e=s3ejN1 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56108.md |
| n/a–Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless.lua. | 2025-12-11 | not yet calculated | CVE-2025-56109 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/Eebxh85meOlFnvAANaOt7WgBy_WVGYtW6X8dzvZBZSenbw?e=aaqmPN https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56109.md |
| n/a–Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua. | 2025-12-11 | not yet calculated | CVE-2025-56110 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md |
| n/a–Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the network_set_wan_conf in file /usr/lib/lua/luci/controller/admin/netport.lua. | 2025-12-11 | not yet calculated | CVE-2025-56111 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/ERJa0DnnR29MqtbLLRQirGYB4qA9dAdpn6eIJH9LwNlBmw?e=y6KkGo https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56111.md |
| n/a–Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx | OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56113 | https://1drv.ms/t/c/12406a392c92914b/EY_XOykAOvJJkGsDkmahTboBmmvNWczbXF3brroYsTWmTA?e=2Itzta https://1drv.ms/f/c/12406a392c92914b/EsGqqVSQqCVBjjz2FhAHAiAB4MCHo41vIuw2wPgLykbupA?e=YgF1gt https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56113.md |
| n/a–Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56114 | https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://1drv.ms/t/c/12406a392c92914b/EWfEhLkTSblOur72XhaQ7W4BsxQ1IWXZ-Wkcv9WC7AYb-g?e=LpMdqT https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56114.md |
| n/a–Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56117 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Ed2lBCN9vhdPnEs7WKvpfEQBp7czazgO9PYxS2TFSHx7TQ?e=HZZaGq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56117.md |
| n/a–Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56118 | https://1drv.ms/t/c/12406a392c92914b/EV2jr71QaoFBjf3SLQcUA6sBcmzSsyx2jJ_XY7yOBk_Sjg?e=WOY7Wd https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56118.md |
| n/a–Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56120 | https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://1drv.ms/t/c/12406a392c92914b/EZf6v9BXDpFAs09oCidKJ8oBXclUWtjyMcQv3DgMfISkJg?e=MyjOdI https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56120.md |
| n/a–Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56122 | https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://1drv.ms/t/c/12406a392c92914b/EZOBtzLwlmBKschv6sxT_LcBBKnMP_OXO7d24321UD8x8g?e=Dpui5j https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56122.md |
| n/a–Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56123 | https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://1drv.ms/t/c/12406a392c92914b/ERjNMNZRBD5HoYydt7Kb3kwBT4ycJXROxTsVBB-WXXqH6Q?e=q8Lcd2 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56123.md |
| n/a–Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56124 | https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://1drv.ms/t/c/12406a392c92914b/EWnUygFXeTVNigjp81gJ3LQBJ-hCSb_Yq4gGIMxlan7uJg?e=emOIoc https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56124.md |
| n/a–Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56127 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/EQkKqI8NW45AgBgScwGNiPABEK0YLvNQFgNtqLaWAhCPVw?e=cLDW5t https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56127.md |
| n/a–Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua. | 2025-12-11 | not yet calculated | CVE-2025-56129 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EaJ2e_mzgltOiHqb4t8xIvgBoT2CYEP0nrhZd7IYlCHSPQ?e=miUrrL https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56129.md |
| n/a–Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 | OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua. | 2025-12-11 | not yet calculated | CVE-2025-56130 | https://1drv.ms/f/c/12406a392c92914b/EpWU9cQdd5RNszcYlTj2cGsBfiClkCwF0zCsLNYer2VIZA?e=ANIgPM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56130.md |
| n/a–Fearless Geek Media FearlessCMS v.0.0.2-15 | Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component. | 2025-12-10 | not yet calculated | CVE-2025-56429 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a–Fearless Geek Media FearlessCMS v.0.0.2-15 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the deleteDirectory function. | 2025-12-10 | not yet calculated | CVE-2025-56430 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a–Fearless Geek Media FearlessCMS v.0.0.2-15 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the file_get_contents() function. | 2025-12-10 | not yet calculated | CVE-2025-56431 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a–LeptonCMS version 7.3.0 | LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code. | 2025-12-09 | not yet calculated | CVE-2025-56704 | http://lepton.com https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-57883 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Apache Software Foundation–Apache Fineract | Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-58130 | https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy |
| Apache Software Foundation–Apache Fineract | Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-58137 | https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may be performed. | 2025-12-12 | not yet calculated | CVE-2025-58576 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| AMI–AptioV | APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access. Successful exploitation of this vulnerability can lead to escalation of authorization and potentially impact Integrity and Availability. | 2025-12-12 | not yet calculated | CVE-2025-58770 | https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025009.pdf |
| Badi Jones–Duplicate Content Cure | Cross-Site Request Forgery (CSRF) vulnerability in Badi Jones Duplicate Content Cure duplicate-content-cure allows Cross Site Request Forgery. This issue affects Duplicate Content Cure: from n/a through <= 1.0. | 2025-12-09 | not yet calculated | CVE-2025-59132 | https://vdp.patchstack.com/database/Wordpress/Plugin/duplicate-content-cure/vulnerability/wordpress-duplicate-content-cure-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| n/a–libcoap’s OSCORE | A memory disclosure vulnerability exists in libcoap’s OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service. | 2025-12-08 | not yet calculated | CVE-2025-59391 | https://github.com/obgm/libcoap/releases/tag/v4.3.5a https://github.com/obgm/libcoap/pull/1730 |
| n/a–Foxit PDF Editor and Reader before 2025.2.1 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via OCG. When Optional Content Groups (OCG) are supported, the state property of an OCG is runtime-only and not included in the digital signature computation buffer. An attacker can leverage JavaScript or PDF triggers to dynamically change the visibility of OCG content after signing (Post-Sign), allowing the visual content of a signed PDF to be modified without invalidating the signature. This may result in a mismatch between the signed content and what the signer or verifier sees, undermining the trustworthiness of the digital signature. The fixed versions are 2025.2.1, 14.0.1, and 13.2.1. | 2025-12-11 | not yet calculated | CVE-2025-59802 | https://www.foxit.com/support/security-bulletins.html |
| n/a-Foxit PDF Editor and Reader before 2025.2.1 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers. An attacker can embed triggers (e.g., JavaScript) in a PDF document that execute during the signing process. When a signer reviews the document, the content appears normal. However, once the signature is applied, the triggers modify content on other pages or optional content layers without explicit warning. This can cause the signed PDF to differ from what the signer saw, undermining the trustworthiness of the digital signature. The fixed versions are 2025.2.1, 14.0.1, and 13.2.1. | 2025-12-11 | not yet calculated | CVE-2025-59803 | https://www.foxit.com/support/security-bulletins.html |
| n/a–phpIPAM v1.7.3 | phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an administrator has an active session. | 2025-12-08 | not yet calculated | CVE-2025-60912 | https://github.com/phpipam/phpipam https://gist.github.com/amandrei/a8377d9b71c55156d22aaaf485463d15 |
| n/a–GmbH Mitarbeiterportal 2.15.2.0 | A stored Cross Site Scripting (XSS) vulnerability in the bulletin board (SchwarzeBrett) in adata Software GmbH Mitarbeiter Portal 2.15.2.0 allows remote authenticated users to execute arbitrary JavaScript code in the web browser of other users via manipulation of the ‘Inhalt’ parameter of the ‘/SchwarzeBrett/Nachrichten/CreateNachricht’ or ‘/SchwarzeBrett/Nachrichten/EditNachricht/’ requests. | 2025-12-09 | not yet calculated | CVE-2025-61074 | https://www.adata.de/mitarbeiter-portal/ https://no-sec.net/posts/cve-2025-61074/ |
| n/a–GmbH Mitarbeiterportal 2.15.2.0 | Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls. | 2025-12-09 | not yet calculated | CVE-2025-61075 | https://www.adata.de/mitarbeiter-portal/ https://no-sec.net/posts/cve-2025-61075/ |
| n/a–phpIPAM v1.7.3 | Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-61078 | http://phpipam.com https://glitch0ne.com/2025/12/05/cve-2025-61078-cross-site-scripting-xss-vulnerability-in-request-ip-form-in-phpipam-v1-7-3/ |
| n/a–Outsystems Platform Server 11.18.1.37828 | An issue was discovered in Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service via crafted content-length value mismatching the body length. | 2025-12-09 | not yet calculated | CVE-2025-61258 | https://www.outsystems.com/ https://balwurk.com/ https://balwurk.github.io/CVE-2025-61258/ |
| n/a–Emlog Pro 2.5.20 | Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, allowing attackers to exploit this feature for directory traversal. | 2025-12-08 | not yet calculated | CVE-2025-61318 | https://github.com/AndyNull/em/blob/main/emlog%20pro%20-%20del%20vuln.md |
| Japan Total System Co.,Ltd.–GroupSession Free edition | In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. | 2025-12-12 | not yet calculated | CVE-2025-61950 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Japan Total System Co.,Ltd.–GroupSession Free edition | GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed. | 2025-12-12 | not yet calculated | CVE-2025-61987 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Nasir Uddin–Generic Elements | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS. This issue affects Generic Elements: from n/a through <= 1.2.8. | 2025-12-09 | not yet calculated | CVE-2025-62082 | https://vdp.patchstack.com/database/Wordpress/Plugin/generic-elements-for-elementor/vulnerability/wordpress-generic-elements-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| berthaai–BERTHA AI | Missing Authorization vulnerability in berthaai BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through <= 1.13. | 2025-12-09 | not yet calculated | CVE-2025-62085 | https://vdp.patchstack.com/database/Wordpress/Plugin/bertha-ai-free/vulnerability/wordpress-bertha-ai-plugin-1-13-broken-access-control-vulnerability?_s_id=cve |
| akazanstev– (Boxberry) | Missing Authorization vulnerability in akazanstev Яндекс Доставка (Boxberry) boxberry allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Яндекс Доставка (Boxberry): from n/a through <= 2.32. | 2025-12-09 | not yet calculated | CVE-2025-62086 | https://vdp.patchstack.com/database/Wordpress/Plugin/boxberry/vulnerability/wordpress-yandeks-dostavka-boxberry-plugin-2-32-broken-access-control-vulnerability?_s_id=cve |
| Jegstudio–Gutenverse News Advanced News Magazine Blog Gutenberg Blocks Addons | Missing Authorization vulnerability in Jegstudio Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons: from n/a through <= 3.0.2. | 2025-12-09 | not yet calculated | CVE-2025-62090 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-news/vulnerability/wordpress-gutenverse-news-advanced-news-magazine-blog-gutenberg-blocks-addons-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup–Image&Video FullScreen Background | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2025-12-09 | not yet calculated | CVE-2025-62093 | https://vdp.patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-sql-injection-vulnerability?_s_id=cve |
| themerain–ThemeRain Core | Missing Authorization vulnerability in themerain ThemeRain Core themerain-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeRain Core: from n/a through <= 1.1.9. | 2025-12-09 | not yet calculated | CVE-2025-62100 | https://vdp.patchstack.com/database/Wordpress/Plugin/themerain-core/vulnerability/wordpress-themerain-core-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| apasionados–DoFollow Case by Case | Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case dofollow-case-by-case allows Cross Site Request Forgery. This issue affects DoFollow Case by Case: from n/a through <= 3.5.1. | 2025-12-09 | not yet calculated | CVE-2025-62102 | https://vdp.patchstack.com/database/Wordpress/Plugin/dofollow-case-by-case/vulnerability/wordpress-dofollow-case-by-case-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpmediadownload–Media Library File Download | Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery. This issue affects Media Library File Download: from n/a through <= 1.4. | 2025-12-09 | not yet calculated | CVE-2025-62103 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-download/vulnerability/wordpress-media-library-file-download-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| INFINITUM FORM–Geo Controller | Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data. This issue affects Geo Controller: from n/a through <= 8.9.4. | 2025-12-09 | not yet calculated | CVE-2025-62109 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf-geoplugin/vulnerability/wordpress-geo-controller-plugin-8-9-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| Virtuaria–Virtuaria PagBank / PagSeguro para Woocommerce | Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-62151 | https://vdp.patchstack.com/database/Wordpress/Plugin/virtuaria-pagseguro/vulnerability/wordpress-virtuaria-pagbank-pagseguro-para-woocommerce-plugin-3-6-3-broken-access-control-vulnerability?_s_id=cve |
| ConveyThis–ConveyThis | Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ConveyThis: from n/a through <= 268.10. | 2025-12-09 | not yet calculated | CVE-2025-62152 | https://vdp.patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability?_s_id=cve |
| Graham–Quick Interest Slider | Missing Authorization vulnerability in Graham Quick Interest Slider quick-interest-slider allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Interest Slider: from n/a through <= 3.1.5. | 2025-12-09 | not yet calculated | CVE-2025-62153 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-interest-slider/vulnerability/wordpress-quick-interest-slider-plugin-3-1-5-broken-access-control-vulnerability?_s_id=cve |
| Japan Total System Co.,Ltd.–GroupSession Free edition | SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user. | 2025-12-12 | not yet calculated | CVE-2025-62192 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| ProteusThemes–Custom Sidebars by ProteusThemes | Cross-Site Request Forgery (CSRF) vulnerability in ProteusThemes Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes allows Cross Site Request Forgery. This issue affects Custom Sidebars by ProteusThemes: from n/a through <= 1.0.3. | 2025-12-09 | not yet calculated | CVE-2025-62733 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-sidebars-by-proteusthemes/vulnerability/wordpress-custom-sidebars-by-proteusthemes-plugin-1-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Michael Revellin-Clerc–Media Library Downloader | Cross-Site Request Forgery (CSRF) vulnerability in Michael Revellin-Clerc Media Library Downloader media-library-downloader allows Cross Site Request Forgery. This issue affects Media Library Downloader: from n/a through <= 1.4.0. | 2025-12-09 | not yet calculated | CVE-2025-62734 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-downloader/vulnerability/wordpress-media-library-downloader-plugin-1-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joel–User Spam Remover | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Joel User Spam Remover user-spam-remover allows Retrieve Embedded Sensitive Data. This issue affects User Spam Remover: from n/a through <= 1.1. | 2025-12-09 | not yet calculated | CVE-2025-62735 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-spam-remover/vulnerability/wordpress-user-spam-remover-plugin-1-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| opicron–Image Cleanup | Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Cleanup: from n/a through <= 1.9.2. | 2025-12-09 | not yet calculated | CVE-2025-62736 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-cleanup/vulnerability/wordpress-image-cleanup-plugin-1-9-2-broken-access-control-vulnerability?_s_id=cve |
| opicron–Image Cleanup | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in opicron Image Cleanup image-cleanup allows Retrieve Embedded Sensitive Data. This issue affects Image Cleanup: from n/a through <= 1.9.2. | 2025-12-09 | not yet calculated | CVE-2025-62737 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-cleanup/vulnerability/wordpress-image-cleanup-plugin-1-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| mmattax–Formstack Online Forms | Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Formstack Online Forms: from n/a through <= 2.0.2. | 2025-12-09 | not yet calculated | CVE-2025-62738 | https://vdp.patchstack.com/database/Wordpress/Plugin/formstack/vulnerability/wordpress-formstack-online-forms-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak–Add Custom Codes | Cross-Site Request Forgery (CSRF) vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Cross Site Request Forgery. This issue affects Add Custom Codes: from n/a through <= 4.80. | 2025-12-09 | not yet calculated | CVE-2025-62739 | https://vdp.patchstack.com/database/Wordpress/Plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mario Peshev–WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2025-12-09 | not yet calculated | CVE-2025-62740 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability?_s_id=cve |
| photoboxone–SMTP Mail | Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery. This issue affects SMTP Mail: from n/a through <= 1.3.47. | 2025-12-09 | not yet calculated | CVE-2025-62762 | https://vdp.patchstack.com/database/Wordpress/Plugin/smtp-mail/vulnerability/wordpress-smtp-mail-plugin-1-3-47-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Evan Herman–Post Cloner | Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Cloner: from n/a through <= 1.0.0. | 2025-12-09 | not yet calculated | CVE-2025-62865 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-cloner/vulnerability/wordpress-post-cloner-plugin-1-0-0-broken-access-control-vulnerability?_s_id=cve |
| Valerio Monti–Auto Alt Text | Cross-Site Request Forgery (CSRF) vulnerability in Valerio Monti Auto Alt Text auto-alt-text allows Cross Site Request Forgery. This issue affects Auto Alt Text: from n/a through <= 2.5.2. | 2025-12-09 | not yet calculated | CVE-2025-62866 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-alt-text/vulnerability/wordpress-auto-alt-text-plugin-2-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ergonet–Ergonet Cache | Missing Authorization vulnerability in ergonet Ergonet Cache ergonet-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ergonet Cache: from n/a through <= 1.0.11. | 2025-12-09 | not yet calculated | CVE-2025-62867 | https://vdp.patchstack.com/database/Wordpress/Plugin/ergonet-varnish-cache/vulnerability/wordpress-ergonet-cache-plugin-1-0-11-broken-access-control-vulnerability?_s_id=cve |
| Gravitec.net – Web Push Notifications–Gravitec.net – Web Push Notifications | Missing Authorization vulnerability in Gravitec.net – Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gravitec.net – Web Push Notifications: from n/a through <= 2.9.17. | 2025-12-09 | not yet calculated | CVE-2025-62869 | https://vdp.patchstack.com/database/Wordpress/Plugin/gravitec-net-web-push-notifications/vulnerability/wordpress-gravitec-net-web-push-notifications-plugin-2-9-17-broken-access-control-vulnerability?_s_id=cve |
| Eupago–Eupago Gateway For Woocommerce | Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.6.3. | 2025-12-09 | not yet calculated | CVE-2025-62870 | https://vdp.patchstack.com/database/Wordpress/Plugin/eupago-gateway-for-woocommerce/vulnerability/wordpress-eupago-gateway-for-woocommerce-plugin-4-6-3-broken-access-control-vulnerability?_s_id=cve |
| Alex Prokopenko / JustCoded–Just TinyMCE Custom Styles | Cross-Site Request Forgery (CSRF) vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery. This issue affects Just TinyMCE Custom Styles: from n/a through <= 1.2.1. | 2025-12-09 | not yet calculated | CVE-2025-62871 | https://vdp.patchstack.com/database/Wordpress/Plugin/just-tinymce-styles/vulnerability/wordpress-just-tinymce-custom-styles-plugin-1-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| JK–Social Photo Fetcher | Cross-Site Request Forgery (CSRF) vulnerability in JK Social Photo Fetcher facebook-photo-fetcher allows Cross Site Request Forgery. This issue affects Social Photo Fetcher: from n/a through <= 3.0.4. | 2025-12-09 | not yet calculated | CVE-2025-62872 | https://vdp.patchstack.com/database/Wordpress/Plugin/facebook-photo-fetcher/vulnerability/wordpress-social-photo-fetcher-plugin-3-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Flashyapp–WP Flashy Marketing Automation | Cross-Site Request Forgery (CSRF) vulnerability in Flashyapp WP Flashy Marketing Automation wp-flashy-marketing-automation allows Cross Site Request Forgery. This issue affects WP Flashy Marketing Automation: from n/a through <= 2.0.8. | 2025-12-09 | not yet calculated | CVE-2025-62873 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-flashy-marketing-automation/vulnerability/wordpress-wp-flashy-marketing-automation-plugin-2-0-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| rainafarai–Notification for Telegram | Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Notification for Telegram: from n/a through <= 3.4.7. | 2025-12-09 | not yet calculated | CVE-2025-62993 | https://vdp.patchstack.com/database/Wordpress/Plugin/notification-for-telegram/vulnerability/wordpress-notification-for-telegram-plugin-3-4-7-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah–WP AI CoPilot | Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data. This issue affects WP AI CoPilot: from n/a through <= 1.2.7. | 2025-12-09 | not yet calculated | CVE-2025-62994 | https://vdp.patchstack.com/database/Wordpress/Plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability-2?_s_id=cve |
| multiparcels–MultiParcels Shipping For WooCommerce | Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12. | 2025-12-09 | not yet calculated | CVE-2025-62995 | https://vdp.patchstack.com/database/Wordpress/Plugin/multiparcels-shipping-for-woocommerce/vulnerability/wordpress-multiparcels-shipping-for-woocommerce-plugin-1-30-12-broken-access-control-vulnerability?_s_id=cve |
| Code Amp–Custom Layouts Post + Product grids made easy | Missing Authorization vulnerability in Code Amp Custom Layouts – Post + Product grids made easy custom-layouts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Layouts – Post + Product grids made easy: from n/a through <= 1.4.12. | 2025-12-09 | not yet calculated | CVE-2025-62996 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-layouts/vulnerability/wordpress-custom-layouts-post-product-grids-made-easy-plugin-1-4-12-broken-access-control-vulnerability?_s_id=cve |
| levelfourdevelopment–WP EasyCart | Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data. This issue affects WP EasyCart: from n/a through <= 5.8.11. | 2025-12-09 | not yet calculated | CVE-2025-62997 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-8-11-sensitive-data-exposure-vulnerability?_s_id=cve |
| themezaa–Litho Addons | Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Litho Addons: from n/a through <= 3.4. | 2025-12-09 | not yet calculated | CVE-2025-62999 | https://vdp.patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerability?_s_id=cve |
| fuelthemes–North – Required Plugin | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in fuelthemes North – Required Plugin north-plugin allows PHP Local File Inclusion. This issue affects North – Required Plugin: from n/a through <= 1.4.2. | 2025-12-09 | not yet calculated | CVE-2025-63003 | https://vdp.patchstack.com/database/Wordpress/Plugin/north-plugin/vulnerability/wordpress-north-required-plugin-plugin-1-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| Metagauss–EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-63006 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| Metagauss–EventPrime | Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data. This issue affects EventPrime: from n/a through <= 4.2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-63007 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-4-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| weDevs–WP ERP | Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP ERP: from n/a through <= 1.16.7. | 2025-12-09 | not yet calculated | CVE-2025-63008 | https://vdp.patchstack.com/database/Wordpress/Plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-16-7-broken-access-control-vulnerability?_s_id=cve |
| yuvalo–WP Google Analytics Events | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in yuvalo WP Google Analytics Events wp-google-analytics-events allows Retrieve Embedded Sensitive Data. This issue affects WP Google Analytics Events: from n/a through <= 2.8.2. | 2025-12-09 | not yet calculated | CVE-2025-63009 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-analytics-events/vulnerability/wordpress-wp-google-analytics-events-plugin-2-8-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| ThemesInflow–Hercules Core | Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery. This issue affects Hercules Core : from n/a through <= 7.4. | 2025-12-09 | not yet calculated | CVE-2025-63010 | https://vdp.patchstack.com/database/Wordpress/Plugin/hercules-core/vulnerability/wordpress-hercules-core-plugin-7-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThimPress–WP Hotel Booking | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63011 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress–WP Hotel Booking | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63012 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThimPress–WP Hotel Booking | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63013 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| paysera–WooCommerce Payment Gateway – Paysera | Missing Authorization vulnerability in paysera WooCommerce Payment Gateway – Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Payment Gateway – Paysera: from n/a through <= 3.9.0. | 2025-12-09 | not yet calculated | CVE-2025-63015 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-payment-gateway-paysera/vulnerability/wordpress-woocommerce-payment-gateway-paysera-plugin-3-9-0-broken-access-control-vulnerability?_s_id=cve |
| Easy Payment–Payment Gateway for PayPal on WooCommerce | Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway for PayPal on WooCommerce: from n/a through <= 9.0.52. | 2025-12-09 | not yet calculated | CVE-2025-63023 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-paypal-gateway/vulnerability/wordpress-payment-gateway-for-paypal-on-woocommerce-plugin-9-0-52-broken-access-control-vulnerability?_s_id=cve |
| tychesoftwares–Order Delivery Date for WooCommerce | Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1. | 2025-12-09 | not yet calculated | CVE-2025-63024 | https://vdp.patchstack.com/database/Wordpress/Plugin/order-delivery-date-for-woocommerce/vulnerability/wordpress-order-delivery-date-for-woocommerce-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve |
| Xagio SEO–Xagio SEO | Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xagio SEO: from n/a through <= 7.1.0.29. | 2025-12-09 | not yet calculated | CVE-2025-63025 | https://vdp.patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability?_s_id=cve |
| shinetheme–Traveler | Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Traveler: from n/a through <= 3.2.6. | 2025-12-09 | not yet calculated | CVE-2025-63028 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal–New User Approve | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery. This issue affects New User Approve: from n/a through <= 3.2.0. | 2025-12-09 | not yet calculated | CVE-2025-63030 | https://vdp.patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riyadh Ahmed–Make Section & Column Clickable For Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS. This issue affects Make Section & Column Clickable For Elementor: from n/a through <= 2.3. | 2025-12-09 | not yet calculated | CVE-2025-63033 | https://vdp.patchstack.com/database/Wordpress/Plugin/make-section-column-clickable-elementor/vulnerability/wordpress-make-section-column-clickable-for-elementor-plugin-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Steve Truman–Page View Count | Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Page View Count: from n/a through <= 2.8.7. | 2025-12-09 | not yet calculated | CVE-2025-63034 | https://vdp.patchstack.com/database/Wordpress/Plugin/page-views-count/vulnerability/wordpress-page-view-count-plugin-2-8-7-settings-change-vulnerability?_s_id=cve |
| VibeThemes–WPLMS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2025-12-09 | not yet calculated | CVE-2025-63035 | https://vdp.patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| DFDevelopment–Ronneby Theme Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion. This issue affects Ronneby Theme Core: from n/a through <= 1.5.68. | 2025-12-09 | not yet calculated | CVE-2025-63036 | https://vdp.patchstack.com/database/Wordpress/Plugin/ronneby-core/vulnerability/wordpress-ronneby-theme-core-plugin-1-5-68-local-file-inclusion-vulnerability?_s_id=cve |
| DFDevelopment–Ronneby Theme Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS. This issue affects Ronneby Theme Core: from n/a through <= 1.5.68. | 2025-12-09 | not yet calculated | CVE-2025-63037 | https://vdp.patchstack.com/database/Wordpress/Plugin/ronneby-core/vulnerability/wordpress-ronneby-theme-core-plugin-1-5-68-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themeum–Tutor LMS Elementor Addons | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS. This issue affects Tutor LMS Elementor Addons: from n/a through <= 3.0.1. | 2025-12-09 | not yet calculated | CVE-2025-63042 | https://vdp.patchstack.com/database/Wordpress/Plugin/tutor-lms-elementor-addons/vulnerability/wordpress-tutor-lms-elementor-addons-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Xpro–Xpro Elementor Addons | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2025-12-09 | not yet calculated | CVE-2025-63044 | https://vdp.patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| averta–Master Slider Pro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS. This issue affects Master Slider Pro: from n/a through <= 3.7.12. | 2025-12-09 | not yet calculated | CVE-2025-63045 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterslider/vulnerability/wordpress-master-slider-pro-plugin-3-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio–ListingPro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS. This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63046 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-plugin/vulnerability/wordpress-listingpro-plugin-2-9-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio–ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63047 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-9-broken-access-control-vulnerability?_s_id=cve |
| CridioStudio–ListingPro Lead Form | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS. This issue affects ListingPro Lead Form: from n/a through <= 1.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63048 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-lead-form/vulnerability/wordpress-listingpro-lead-form-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio–ListingPro Lead Form | Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ListingPro Lead Form: from n/a through <= 1.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63049 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-lead-form/vulnerability/wordpress-listingpro-lead-form-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| sizam–REHub Framework | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in sizam REHub Framework rehub-framework allows Stored XSS. This issue affects REHub Framework: from n/a through <= 19.9.8. | 2025-12-09 | not yet calculated | CVE-2025-63050 | https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GalleryCreator–SimpLy Gallery | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS. This issue affects SimpLy Gallery: from n/a through <= 3.2.8. | 2025-12-09 | not yet calculated | CVE-2025-63052 | https://vdp.patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ExpressTech Systems–Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.1. | 2025-12-09 | not yet calculated | CVE-2025-63054 | https://vdp.patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-broken-access-control-vulnerability?_s_id=cve |
| Liton Arefin–Master Addons for Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS. This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63055 | https://vdp.patchstack.com/database/Wordpress/Plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft–Contact Form by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form by BestWebSoft: from n/a through <= 4.3.5. | 2025-12-09 | not yet calculated | CVE-2025-63056 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-plugin/vulnerability/wordpress-contact-form-by-bestwebsoft-plugin-4-3-5-broken-access-control-vulnerability?_s_id=cve |
| Roxnor–Wp Ultimate Review | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS. This issue affects Wp Ultimate Review: from n/a through <= 2.3.6. | 2025-12-09 | not yet calculated | CVE-2025-63057 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-ultimate-review/vulnerability/wordpress-wp-ultimate-review-plugin-2-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hiroaki Miyashita–Custom Field Template | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Retrieve Embedded Sensitive Data. This issue affects Custom Field Template: from n/a through <= 2.7.4. | 2025-12-09 | not yet calculated | CVE-2025-63058 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| arscode–Ninja Popups | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in arscode Ninja Popups arscode-ninja-popups allows Stored XSS. This issue affects Ninja Popups: from n/a through <= 4.7.8. | 2025-12-09 | not yet calculated | CVE-2025-63059 | https://vdp.patchstack.com/database/Wordpress/Plugin/arscode-ninja-popups/vulnerability/wordpress-ninja-popups-plugin-4-7-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| hogash–Kallyas | Cross-Site Request Forgery (CSRF) vulnerability in hogash Kallyas kallyas. This issue affects Kallyas: from n/a through <= 4.2. | 2025-12-09 | not yet calculated | CVE-2025-63060 | https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| hogash–Kallyas | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in hogash Kallyas kallyas allows DOM-Based XSS. This issue affects Kallyas: from n/a through <= 4.22.0. | 2025-12-09 | not yet calculated | CVE-2025-63061 | https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-22-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AndonDesign–UDesign Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion. This issue affects UDesign Core: from n/a through <= 4.14.0. | 2025-12-09 | not yet calculated | CVE-2025-63062 | https://vdp.patchstack.com/database/Wordpress/Plugin/u-design-core/vulnerability/wordpress-udesign-core-plugin-4-14-0-local-file-inclusion-vulnerability?_s_id=cve |
| Yandex Metrika–Yandex.Metrica | Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yandex.Metrica: from n/a through <= 1.2.2. | 2025-12-09 | not yet calculated | CVE-2025-63063 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-yandex-metrika/vulnerability/wordpress-yandex-metrica-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve |
| ashanjay–EventON | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ashanjay EventON eventon allows Stored XSS. This issue affects EventON: from n/a through <= 4.9.12. | 2025-12-09 | not yet calculated | CVE-2025-63064 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| David Lingren–Media Library Assistant | Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media Library Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library Assistant: from n/a through <= 3.30. | 2025-12-09 | not yet calculated | CVE-2025-63065 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-30-broken-access-control-vulnerability?_s_id=cve |
| p-themes–Porto Theme – Functionality | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in p-themes Porto Theme – Functionality porto-functionality allows Stored XSS. This issue affects Porto Theme – Functionality: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-63066 | https://vdp.patchstack.com/database/Wordpress/Plugin/porto-functionality/vulnerability/wordpress-porto-theme-functionality-plugin-3-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| p-themes–Porto Theme – Functionality | Missing Authorization vulnerability in p-themes Porto Theme – Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Porto Theme – Functionality: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-63067 | https://vdp.patchstack.com/database/Wordpress/Plugin/porto-functionality/vulnerability/wordpress-porto-theme-functionality-plugin-3-6-2-broken-access-control-vulnerability?_s_id=cve |
| sevenspark–Contact Form 7 Dynamic Text Extension | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection. This issue affects Contact Form 7 Dynamic Text Extension: from n/a through <= 5.0.3. | 2025-12-09 | not yet calculated | CVE-2025-63068 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-7-dynamic-text-extension/vulnerability/wordpress-contact-form-7-dynamic-text-extension-plugin-5-0-3-content-injection-vulnerability?_s_id=cve |
| Vinod Dalvi–Ivory Search | Missing Authorization vulnerability in Vinod Dalvi Ivory Search add-search-to-menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ivory Search: from n/a through <= 5.5.12. | 2025-12-09 | not yet calculated | CVE-2025-63069 | https://vdp.patchstack.com/database/Wordpress/Plugin/add-search-to-menu/vulnerability/wordpress-ivory-search-plugin-5-5-12-broken-access-control-vulnerability?_s_id=cve |
| Shahjada–Download Manager | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through <= 3.3.32. | 2025-12-09 | not yet calculated | CVE-2025-63070 | https://vdp.patchstack.com/database/Wordpress/Plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-32-sensitive-data-exposure-vulnerability?_s_id=cve |
| averta–Shortcodes and extra features for Phlox theme | Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data. This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. | 2025-12-09 | not yet calculated | CVE-2025-63071 | https://vdp.patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-sensitive-data-exposure-vulnerability?_s_id=cve |
| THEMECO–Cornerstone | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS. This issue affects Cornerstone: from n/a through <= 7.7.3. | 2025-12-09 | not yet calculated | CVE-2025-63072 | https://vdp.patchstack.com/database/Wordpress/Plugin/cornerstone/vulnerability/wordpress-cornerstone-plugin-7-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme–The7 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS. This issue affects The7: from n/a through <= 12.8.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63073 | https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme–The7 | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion. This issue affects The7: from n/a through <= 12.8.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63074 | https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| muffingroup–Betheme | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in muffingroup Betheme betheme allows DOM-Based XSS. This issue affects Betheme: from n/a through <= 28.1.7. | 2025-12-09 | not yet calculated | CVE-2025-63075 | https://vdp.patchstack.com/database/Wordpress/Theme/betheme/vulnerability/wordpress-betheme-theme-28-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme–The7 Elements | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion. This issue affects The7 Elements: from n/a through <= 2.7.11. | 2025-12-09 | not yet calculated | CVE-2025-63076 | https://vdp.patchstack.com/database/Wordpress/Plugin/dt-the7-core/vulnerability/wordpress-the7-elements-plugin-2-7-11-local-file-inclusion-vulnerability?_s_id=cve |
| HappyMonster–Happy Addons for Elementor | Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.2. | 2025-12-09 | not yet calculated | CVE-2025-63077 | https://vdp.patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-2-broken-access-control-vulnerability?_s_id=cve |
| n/a–XiangShan Nanhu V2 and XiangShan Kunmighu V3 | XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | 2025-12-10 | not yet calculated | CVE-2025-63094 | https://github.com/necst/aca25-xiangshan-spectre/blob/main/README.md https://github.com/necst/aca25-xiangshan-spectre |
| n/a–HummerRisk thru v1.5.0 | HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | 2025-12-08 | not yet calculated | CVE-2025-63721 | https://github.com/k1ng0fic3/secrisk/blob/main/README.md https://gist.github.com/k1ng0fic3/e8c8c9353fff8fa95e2c2952587e9266 |
| n/a–Xinhu Rainrock RockOA 2.7.0 | Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-63737 | https://github.com/rainrocka/xinhu/issues/10 |
| n/a–Xinhu Rainrock RockOA 2.7.0 | An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php. | 2025-12-09 | not yet calculated | CVE-2025-63738 | https://github.com/rainrocka/xinhu/issues/11 |
| n/a–Xinhu Rainrock RockOA 2.7.0 | An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-63739 | https://github.com/rainrocka/xinhu/issues/12 |
| n/a–Xinhu Rainrock RockOA 2.7.0 | SQL Injection vulnerability in function getselectdataAjax in file inputAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the actstr parameter. | 2025-12-09 | not yet calculated | CVE-2025-63740 | https://github.com/rainrocka/xinhu/issues/13 |
| n/a–Xinhu Rainrock RockOA 2.7.0 | SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid parameters. | 2025-12-09 | not yet calculated | CVE-2025-63742 | https://github.com/rainrocka/xinhu/issues/14 |
| n/a–JXL 9 Inch Car Android Double Din Player Android v12.0 | An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet. | 2025-12-10 | not yet calculated | CVE-2025-63895 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-63895/blob/main/README.md |
| n/a–Nextcloud Server 30.0.0 | Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the field parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | 2025-12-12 | not yet calculated | CVE-2025-64011 | https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing https://nextcloud.com https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090 |
| n/a–SourceCodester Patients Waiting Area Queue Management System v1 | SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter. | 2025-12-08 | not yet calculated | CVE-2025-64081 | https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html https://packetstorm.news/files/id/211592 |
| n/a–PDF-XChange Editor v10.7.3.401 | A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-09 | not yet calculated | CVE-2025-64085 | https://www.pdf-xchange.com/ https://jeroscope.com/advisories/2025/jero-2025-012/ |
| n/a–PDF-XChange Editor v10.7.3.401 | A NULL pointer dereference vulnerability in the util.readFileIntoStream component of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-09 | not yet calculated | CVE-2025-64086 | https://www.pdf-xchange.com/ https://jeroscope.com/advisories/2025/jero-2025-011/ |
| EmbySupport–security | Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81. | 2025-12-09 | not yet calculated | CVE-2025-64113 | https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84 |
| Ronald Huereca–Photo Block | Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Photo Block: from n/a through <= 1.5.1. | 2025-12-09 | not yet calculated | CVE-2025-64254 | https://vdp.patchstack.com/database/Wordpress/Plugin/photo-block/vulnerability/wordpress-photo-block-plugin-1-5-1-broken-access-control-vulnerability?_s_id=cve |
| Bowo–Admin and Site Enhancements (ASE) | Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE): from n/a through <= 8.0.8. | 2025-12-09 | not yet calculated | CVE-2025-64255 | https://vdp.patchstack.com/database/Wordpress/Plugin/admin-site-enhancements/vulnerability/wordpress-admin-and-site-enhancements-ase-plugin-8-0-8-broken-access-control-vulnerability?_s_id=cve |
| PressTigers–Simple Folio | Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Folio simple-folio allows Cross Site Request Forgery. This issue affects Simple Folio: from n/a through <= 1.1.0. | 2025-12-09 | not yet calculated | CVE-2025-64256 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-folio/vulnerability/wordpress-simple-folio-plugin-1-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joe Dolson–My Tickets | Missing Authorization vulnerability in Joe Dolson My Tickets my-tickets allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects My Tickets: from n/a through <= 2.1.0. | 2025-12-09 | not yet calculated | CVE-2025-64257 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-0-broken-access-control-vulnerability?_s_id=cve |
| Brother Industries, Ltd.–Android App “Brother iPrint&Scan” | Android App “Brother iPrint&Scan” versions 6.13.7 and earlier improperly uses an external cache directory. If exploited, application-specific files may be accessed from other malicious applications. | 2025-12-09 | not yet calculated | CVE-2025-64696 | https://support.brother.com/g/s/security/ https://jvn.jp/en/vu/JVNVU99973778/ |
| QualitySoft Corporation–QND Premium/Advance/Standard | QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administrator privileges. As a result, sensitive information may be accessed or altered, and arbitrary actions may be performed. | 2025-12-11 | not yet calculated | CVE-2025-64701 | https://www.qualitysoft.com/product/qnd_vulnerabilities_2025/ https://jvn.jp/jp/JVN40102375/ |
| sandboxie-plus–Sandboxie | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7. | 2025-12-11 | not yet calculated | CVE-2025-64721 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7 |
| Japan Total System Co.,Ltd.–GroupSession Free edition | In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, “External page display restriction” is set to “Do not limit” in the initial configuration. With this configuration, the user may be redirected to an arbitrary website when accessing a specially crafted URL. | 2025-12-12 | not yet calculated | CVE-2025-64781 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-65120 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| n/a–R.V.R. Elettronica TLK302T | A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799). | 2025-12-08 | not yet calculated | CVE-2025-65228 | https://www.rvr.it/en/products/components/telemetry-units-system/tlk300-series/tlk302t/ https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65228 |
| n/a–Lyrion Music Server <= 9.0.3. | A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page. | 2025-12-08 | not yet calculated | CVE-2025-65229 | https://lyrion.org/ |
| n/a–Barix Instreamer v04.06 and v04.05 | Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input. | 2025-12-08 | not yet calculated | CVE-2025-65230 | https://help.barix.com/instreamer/user-manual https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65230 |
| n/a–Barix Instreamer v04.06 and earlier | Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page. | 2025-12-08 | not yet calculated | CVE-2025-65231 | https://help.barix.com/instreamer/user-manual https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65231 |
| n/a–Azuriom CMS admin dashboard | Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator’s session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7. | 2025-12-08 | not yet calculated | CVE-2025-65271 | https://github.com/Azuriom/Azuriom https://www.github.com/Azuriom/Azuriom https://github.com/Azuriom/Azuriom/commit/0289175547319add814dcb526e8ba034f1ebc3ec https://www.github.com/Azuriom/Azuriom/commit/0289175547319add814dcb526e8ba034f1ebc3ec https://github.com/1337Skid/CVE-2025-65271 |
| n/a–SNMP Web Pro 1.1 | An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path (/var/www/files/userScript/) using memcpy + strcat without validation or canonicalization, enabling ../ sequences to escape the intended directory. The download branch also echoes the unsanitized params into Content-Disposition, introducing header-injection risk. | 2025-12-09 | not yet calculated | CVE-2025-65287 | https://damiri.fr/en/cve/CVE-2025-65287 |
| n/a–Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) | A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenations into fixed-size buffers. A crafted long hostname can overflow the buffer, cause a crash (DoS) and potentially enabling remote code execution. | 2025-12-09 | not yet calculated | CVE-2025-65288 | https://damiri.fr/en/cve/CVE-2025-65288 |
| n/a–Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router | A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router’s management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator’s browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions. | 2025-12-09 | not yet calculated | CVE-2025-65289 | https://damiri.fr/en/cve/CVE-2025-65289 |
| n/a–Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially serve modified firmware files. | 2025-12-10 | not yet calculated | CVE-2025-65290 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Certificate-Validation-Bypass.md |
| n/a–Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 | Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring. | 2025-12-10 | not yet calculated | CVE-2025-65291 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/CoAP-Certificate-Validation-Bypass.md |
| n/a–Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names. | 2025-12-10 | not yet calculated | CVE-2025-65292 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/DNS-Command-Injection.md |
| n/a–Aqara Camera Hub G3 4.1.9_0027 | Command injection vulnerabilities in Aqara Camera Hub G3 4.1.9_0027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset. | 2025-12-10 | not yet calculated | CVE-2025-65293 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md |
| n/a–Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution. | 2025-12-10 | not yet calculated | CVE-2025-65294 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md |
| n/a–Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices | Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory. | 2025-12-10 | not yet calculated | CVE-2025-65295 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md |
| n/a–Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 | NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs. | 2025-12-10 | not yet calculated | CVE-2025-65296 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/JSON-NULL-Dereference.md |
| n/a–Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 automatically collect and upload unencrypted sensitive information. Note that this occurs without disclosure or consent from the manufacturer. | 2025-12-10 | not yet calculated | CVE-2025-65297 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Unauthorized-Data-Upload.md |
| n/a–Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) | A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim’s browser. | 2025-12-09 | not yet calculated | CVE-2025-65300 | https://www.coohom.com/pub/saas/settings/account https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377 |
| n/a–Ruijie APs (AP_RGOS 11.1.x) | Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the command parameter to the web_action.do endpoint. | 2025-12-08 | not yet calculated | CVE-2025-65363 | http://ruijie.com http://rg-ap720-l.com https://github.com/tmogg/security-advisories/blob/main/CVE-2025-65363/README.md |
| n/a–EasyImages 2.0 v2.8.6 and below | An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2025-12-11 | not yet calculated | CVE-2025-65471 | https://congsec.cn/?id=20251102153546-i712jss https://gist.github.com/CongSec/cd3d3ee57b8e6f83c7038e2263c15120 |
| n/a–EasyImages 2.0 v2.8.6 and below | A Cross-Site Request Forgery (CSRF) in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page. | 2025-12-11 | not yet calculated | CVE-2025-65472 | https://congsec.cn/?id=20251104215007-yjddwx1 https://gist.github.com/CongSec/a6c8b15878f19647dbd26c22b47bac65 |
| n/a–EasyImages 2.0 v2.8.6 and below | An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to execute arbitrary code via injecting a crafted payload into an uploaded file name. | 2025-12-11 | not yet calculated | CVE-2025-65473 | https://congsec.cn?id=20251103235610-7t4en7j https://gist.github.com/CongSec/107b9cab6dd1cb297a738f11e2b2dbb6 |
| n/a–EasyImages 2.0 v2.8.6 and below | An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. | 2025-12-11 | not yet calculated | CVE-2025-65474 | https://congsec.cn?id=20251103234511-9418dk9 https://gist.github.com/CongSec/3cf968621f71a7da35dcc9b8f0b29bb2 |
| n/a–markdownify-mcp v0.0.2 and before | A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. This vulnerability allows an attacker to bypass private IP restrictions through hostname-based bypass and HTTP redirect chains, enabling access to internal network services. | 2025-12-10 | not yet calculated | CVE-2025-65512 | https://thorn-pheasant-6d8.notion.site/markdownify-mcp-Report-2a03daf7b44180908ff4eea0c2915763 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65512.md |
| n/a–fetch-mcp v1.0.2 and before | fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources. | 2025-12-09 | not yet calculated | CVE-2025-65513 | https://thorn-pheasant-6d8.notion.site/fetch-mcp-2853daf7b44180029ca5d56e03195736 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65513.md |
| n/a–CloudLinux ai-bolit before v32.7.4 | An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file. | 2025-12-12 | not yet calculated | CVE-2025-65530 | http://cloudlinux.com http://ai-bolit.com https://blog.imunify360.com/security-advisory-imunify-ai-bolit-vulnerability |
| n/a–NUT-14 | NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint’s db nd disk with arbitrary data. | 2025-12-08 | not yet calculated | CVE-2025-65548 | https://delvingbitcoin.org/t/public-disclosure-denial-of-service-using-htlc-in-cashu/2090 https://github.com/cashubtc/nuts/blob/main/14.md https://github.com/cashubtc/nuts/blob/main/07.md https://preimage007.github.io/ https://github.com/jamesob/delving-bitcoin-archive/blob/master/archive/rendered-topics/2025-11-November/2025-11-02-public-disclosure-denial-of-service-using-htlc-in-cashu-id2090.md https://bitcointalk.org/index.php?topic=5564329 |
| n/a–AllskyTeam AllSky v2024.12.06_06 | Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker. | 2025-12-09 | not yet calculated | CVE-2025-65572 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/includes/status_messages.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/allskySettings.php https://gh0stmezh.wordpress.com/2025/12/04/cve-2025-65572/ |
| n/a–AllskyTeam AllSky v2024.12.06_06 | Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status. | 2025-12-09 | not yet calculated | CVE-2025-65573 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/includes/functions.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/dashboard_LAN.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/dashboard_WLAN.php https://gh0stmezh.wordpress.com/2025/12/05/cve-2025-65573/ |
| n/a–OpenSIS 9.2 and below | OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. | 2025-12-09 | not yet calculated | CVE-2025-65594 | http://opensis.com https://gitlab.com/tsuretettee/cve-2025-65594 |
| n/a–ChanCMS v3.3.4 | A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request. | 2025-12-10 | not yet calculated | CVE-2025-65602 | https://gitee.com/chancms/ChanCMS https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689 |
| n/a–Sublime Text 3 Build 3208 or prior | Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application. | 2025-12-09 | not yet calculated | CVE-2025-65741 | https://github.com/sublimehq/sublime_text https://www.sublimetext.com/3 https://github.com/vinicius-batistella/CVE-2025-65741/ |
| n/a–Algernon v1.17.4 | Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | 2025-12-10 | not yet calculated | CVE-2025-65754 | https://gist.github.com/Bnyt7/0faa90ff93c5d98093a0e29a1eb34d81 https://github.com/xyproto/algernon https://github.com/Bnyt7/CVE-2025-65754 |
| n/a–DataGear v5.5.0 | DataGear v5.5.0 is vulnerable to Arbitrary File Deletion. | 2025-12-10 | not yet calculated | CVE-2025-65792 | https://github.com/X3J1n/datagear/issues/1 https://gist.github.com/X3J1n/82b047efdbfd74c414a6d63339ad12fb |
| n/a–usememos memos v0.25.2 | Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request. | 2025-12-08 | not yet calculated | CVE-2025-65795 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/usd-2025-0058/ |
| n/a–usememos memos v0.25.2 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users’ Memos. | 2025-12-08 | not yet calculated | CVE-2025-65796 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0060/ |
| n/a–usememos memos v0.25.2 | Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS). | 2025-12-08 | not yet calculated | CVE-2025-65797 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0057/ |
| n/a–usememos memos v0.25.2 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users. | 2025-12-08 | not yet calculated | CVE-2025-65798 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0059/ |
| n/a–usememos memos v0.25.2 | A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal. | 2025-12-08 | not yet calculated | CVE-2025-65799 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5218 https://herolab.usd.de/security-advisories/usd-2025-0056/ |
| n/a–FreeImage v3.18.0 | An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file. | 2025-12-10 | not yet calculated | CVE-2025-65803 | https://freeimage.sourceforge.io/download.html https://gist.github.com/1mxml/cabd6d972557d9d992fe5f4f6ca1dd87 |
| n/a–Tenda AX3 v16.03.12.11 | Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE). | 2025-12-08 | not yet calculated | CVE-2025-65804 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2aaa595a7aef8072968edc528a2d95b1 |
| n/a–sd command v1.0.0 | An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command. | 2025-12-10 | not yet calculated | CVE-2025-65807 | http://sd.com https://github.com/chmln/sd https://gist.github.com/faabbi/827f10e144fdd342e13a3dd838902e83 |
| n/a–RHOPHI Analytics LLP Office App-Edit Word v6.4.1 | A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal. | 2025-12-10 | not yet calculated | CVE-2025-65814 | https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename https://github.com/Secsys-FDU/AF_CVEs/issues/6 |
| n/a–AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 | A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal. | 2025-12-10 | not yet calculated | CVE-2025-65815 | https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename https://github.com/Secsys-FDU/AF_CVEs/issues/7 |
| n/a–Meatmeet Android Mobile Application 1.1.2.0. | An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which is not available through the normal flows of the application, contains several devices which can be added to your account, two of which have not been publicly released. As a result of this vulnerability, the attacker can gain insight into unreleased Meatmeet devices. | 2025-12-10 | not yet calculated | CVE-2025-65820 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Information-Disclosure.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-information-disclosure-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Additionally, this allows the adversary to reflash the device with their own firmware which may contain malicious modifications. | 2025-12-10 | not yet calculated | CVE-2025-65821 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/UART-Download-Mode-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-uart-download-mode-enabled-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device’s firmware with malicious code which will be executed upon running. As a result, the victim will lose access to the functionality of their device and the attack may gain unauthorized access to the victim’s Wi-Fi network by re-connecting to the SSID defined in the NVS partition of the device. | 2025-12-10 | not yet calculated | CVE-2025-65822 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/JTAG-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-jtag-enabled-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | 2025-12-10 | not yet calculated | CVE-2025-65823 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Hardcoded-Credentials.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-hardcoded-credentials-esp32-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attacker’s code. As the device does not perform checks on upgrades, this results in Remote Code Execution (RCE) and the victim losing complete access to the Meatmeet. | 2025-12-10 | not yet calculated | CVE-2025-65824 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Remote-Code-Execution.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-remote-code-execution-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim’s Wi-Fi network. | 2025-12-10 | not yet calculated | CVE-2025-65825 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Flash-Encryption-Disabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-flash-encryption-disabled-md |
| n/a–Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application was found to contain stored credentials for the network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | 2025-12-10 | not yet calculated | CVE-2025-65826 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Hardcoded-Credentials.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-hardcoded-credentials-mobile-md |
| n/a–Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located “upstream” can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user’s account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | 2025-12-10 | not yet calculated | CVE-2025-65827 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Clear-Text-Traffic-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-clear-text-traffic-enabled-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. These commands include: shutdown, restart, clear config. Clear config would disassociate the current device from its user and would require re-configuration to re-enable the device. As a result, the end user would be unable to receive updates from the Meatmeet base station which communicates with the cloud services until the device had been fixed or turned back on. | 2025-12-10 | not yet calculated | CVE-2025-65828 | http://meatmeet.com https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-denial-of-service-ble-md |
| n/a–Meatmeet Pro BBQ Thermometer v1.0.34.4 | The ESP32 system on a chip (SoC) that powers the Meatmeet basestation device was found to lack Secure Boot. The Secure Boot feature ensures that only authenticated software can execute on the device. The Secure Boot process forms a chain of trust by verifying all mutable software entities involved in the Application Startup Flow. As a result, an attacker with physical access to the device can flash modified firmware to the device, resulting in the execution of malicious code upon startup. | 2025-12-10 | not yet calculated | CVE-2025-65829 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Secure-Boot-Disabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-secure-boot-disabled-md |
| n/a–Meatmeet Pro Mobile Application v1.1.2.0 | Due to a lack of certificate validation, all traffic from the mobile application can be intercepted. As a result, an adversary located “upstream” can decrypt the TLS traffic, inspect its contents, and modify the requests in transit. This may result in a total compromise of the user’s account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | 2025-12-10 | not yet calculated | CVE-2025-65830 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Lack-of-Certificate-Pinning.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-lack-of-certificate-pinning-md |
| n/a–Meatmeet Pro Mobile Application v1.1.2.0 | The application uses an insecure hashing algorithm (MD5) to hash passwords. If an attacker obtained a copy of these hashes, either through exploiting cloud services, performing TLS downgrade attacks on the traffic from a mobile device, or through another means, they may be able to crack the hash in a reasonable amount of time and gain unauthorized access to the victim’s account. | 2025-12-10 | not yet calculated | CVE-2025-65831 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Insecure-Algorithm.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-lack-of-certificate-pinning-md |
| n/a–Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application insecurely handles information stored within memory. By performing a memory dump on the application after a user has logged out and terminated it, Wi-Fi credentials sent during the pairing process, JWTs used for authentication, and other sensitive details can be retrieved. As a result, an attacker with physical access to the device of a victim can retrieve this information and gain unauthorized access to their home Wi-Fi network and Meatmeet account. | 2025-12-10 | not yet calculated | CVE-2025-65832 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Sensitive%20Information-Stored-in-Memory.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-sensitive-information-stored-in-memory-md |
| n/a–MineAdmin v3.x | Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover. | 2025-12-12 | not yet calculated | CVE-2025-65854 | http://mineadmin.com https://www.mineadmin.com/ https://gist.github.com/SourByte05/1a6c6b08ac47c5d58eb7dd4422cc23b7 |
| n/a–openmptcprouter thru 0.64 | An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands. | 2025-12-09 | not yet calculated | CVE-2025-65882 | http://openmptcprouter.com https://github.com/Ysurac/openmptcprouter/commit/09393d1c41a227bea7d5b85c0a06221b1302b25f https://gist.github.com/AradCohen/939ee50d60c4d2bd555a364615a5ab9c |
| WBCE–WBCE_CMS | WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5. | 2025-12-10 | not yet calculated | CVE-2025-65950 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3 https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project’s pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node. | 2025-12-08 | not yet calculated | CVE-2025-65964 | https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04 https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2 https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes |
| FreePBX–security-reporting | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to “webserver.” When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23. | 2025-12-09 | not yet calculated | CVE-2025-66039 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698 https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50 https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| WBCE–WBCE_CMS | WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | 2025-12-08 | not yet calculated | CVE-2025-66204 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5 https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| ELECOM CO.,LTD.–Clone for Windows | Clone for Windows provided by ELECOM CO.,LTD. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. | 2025-12-09 | not yet calculated | CVE-2025-66271 | https://www.elecom.co.jp/news/security/20251209-01/ https://jvn.jp/en/jp/JVN33172708/ |
| Japan Total System Co.,Ltd.–GroupSession Free edition | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it. | 2025-12-12 | not yet calculated | CVE-2025-66284 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| n/a–cPanel 110 through 132 | An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user. | 2025-12-11 | not yet calculated | CVE-2025-66429 | https://docs.cpanel.net/release-notes/release-notes/ https://docs.cpanel.net/changelogs/126-change-log/ |
| n/a–Plesk 18.0 | Plesk 18.0 has Incorrect Access Control. | 2025-12-12 | not yet calculated | CVE-2025-66430 | https://docs.plesk.com/release-notes/obsidian/whats-new/ https://support.plesk.com/hc/en-us/articles/36261922405015–CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1. | 2025-12-11 | not yet calculated | CVE-2025-66450 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-84vx-vmcf-xgpp https://github.com/danny-avila/LibreChat/commit/6fa94d3eb8f5779363226d10dccf8b01a735744c |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1. | 2025-12-11 | not yet calculated | CVE-2025-66451 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655h https://github.com/danny-avila/LibreChat/commit/01413eea3d3c1454d32ca9704fa9640407839737 |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn’t strictly enforced. This issue does not have a fix at the time of publication. | 2025-12-11 | not yet calculated | CVE-2025-66452 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-q6c5-gvj5-c264 |
| elysiajs–elysia | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body. | 2025-12-09 | not yet calculated | CVE-2025-66456 | https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf https://github.com/elysiajs/elysia/pull/1564 https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e |
| elysiajs–elysia | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app’s source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18. | 2025-12-09 | not yet calculated | CVE-2025-66457 | https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc https://github.com/elysiajs/elysia/pull/1564 https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e |
| GS Yuasa International Ltd.–FULLBACK Manager Pro (for Windows) | FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed. | 2025-12-08 | not yet calculated | CVE-2025-66461 | https://ps.gs-yuasa.com/technicalinfo/pdf/failure/FMP_info20251201_TEX48214-993.pdf https://jvn.jp/en/jp/JVN59242986/ |
| xwiki–xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the “No” button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates. | 2025-12-10 | not yet calculated | CVE-2025-66472 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2 https://jira.xwiki.org/browse/XWIKI-23244 |
| xwiki–xwiki-platform | XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn’t enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11. | 2025-12-10 | not yet calculated | CVE-2025-66473 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b https://jira.xwiki.org/browse/XWIKI-23355 |
| xwiki–xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1. | 2025-12-10 | not yet calculated | CVE-2025-66474 | https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11 https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49 https://jira.xwiki.org/browse/XRENDERING-693 https://jira.xwiki.org/browse/XRENDERING-792 https://jira.xwiki.org/browse/XRENDERING-793 https://jira.xwiki.org/browse/XWIKI-23378 |
| traefik–traefik | Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, , Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-66490 | https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c https://github.com/traefik/traefik/releases/tag/v2.11.32 https://github.com/traefik/traefik/releases/tag/v3.6.4 |
| Elastic Email–Elastic Email Sender | Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elastic Email Sender: from n/a through <= 1.2.20. | 2025-12-09 | not yet calculated | CVE-2025-66525 | https://vdp.patchstack.com/database/Wordpress/Plugin/elastic-email-sender/vulnerability/wordpress-elastic-email-sender-plugin-1-2-20-broken-access-control-vulnerability?_s_id=cve |
| Essekia–Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.34. | 2025-12-09 | not yet calculated | CVE-2025-66526 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-34-broken-access-control-vulnerability?_s_id=cve |
| VanKarWai–Lobo | Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lobo: from n/a through <= 2.8.6. | 2025-12-09 | not yet calculated | CVE-2025-66527 | https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-broken-access-control-vulnerability?_s_id=cve |
| VillaTheme–Thank You Page Customizer for WooCommerce | Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8. | 2025-12-09 | not yet calculated | CVE-2025-66528 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-customizer/vulnerability/wordpress-thank-you-page-customizer-for-woocommerce-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Ays Pro–Chartify | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery. This issue affects Chartify: from n/a through <= 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-66529 | https://vdp.patchstack.com/database/Wordpress/Plugin/chart-builder/vulnerability/wordpress-chartify-plugin-3-6-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Webba Appointment Booking–Webba Booking | Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Webba Booking: from n/a through <= 6.2.1. | 2025-12-09 | not yet calculated | CVE-2025-66530 | https://vdp.patchstack.com/database/Wordpress/Plugin/webba-booking-lite/vulnerability/wordpress-webba-booking-plugin-6-2-1-broken-access-control-vulnerability?_s_id=cve |
| Dimitri Grassi–Salon booking system | Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2025-12-09 | not yet calculated | CVE-2025-66531 | https://vdp.patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes–Powerlift | Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Powerlift: from n/a through < 3.2.1. | 2025-12-09 | not yet calculated | CVE-2025-66532 | https://vdp.patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-broken-access-control-vulnerability?_s_id=cve |
| StellarWP–GiveWP | Improper Control of Generation of Code (‘Code Injection’) vulnerability in StellarWP GiveWP give allows Code Injection. This issue affects GiveWP: from n/a through <= 4.13.1. | 2025-12-09 | not yet calculated | CVE-2025-66533 | https://vdp.patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-arbitrary-shortocde-execution-vulnerability?_s_id=cve |
| Elated-Themes–The Aisle | Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Aisle: from n/a through <= 2.9. | 2025-12-09 | not yet calculated | CVE-2025-66534 | https://vdp.patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-broken-access-control-vulnerability?_s_id=cve |
| gofiber–utils | Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system’s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID “00000000-0000-0000-0000-000000000000”. The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4. | 2025-12-09 | not yet calculated | CVE-2025-66565 | https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47 |
| SAML-Toolkits–ruby-saml | The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0. | 2025-12-09 | not yet calculated | CVE-2025-66567 | https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 https://github.com/advisories/GHSA-754f-8gm6-c4r2 |
| SAML-Toolkits–ruby-saml | The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0. | 2025-12-09 | not yet calculated | CVE-2025-66568 | https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), a Stack-Based Buffer Overflow vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66584 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), a Use After Free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66585 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Resource Using Incompatible Type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66586 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), the affected application is vulnerable to memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66587 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Uninitialized Pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution. | 2025-12-11 | not yet calculated | CVE-2025-66588 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. This could allow an attacker to disclose information or cause a system crash. | 2025-12-11 | not yet calculated | CVE-2025-66589 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech–DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. This can lead to arbitrary code execution or a system crash. | 2025-12-11 | not yet calculated | CVE-2025-66590 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| matrix-org–matrix-rust-sdk | matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate’s sync process will stall, preventing further processing for all rooms. This is fixed in version 0.16.0. | 2025-12-09 | not yet calculated | CVE-2025-66622 | https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3 https://github.com/matrix-org/matrix-rust-sdk/pull/5924 https://github.com/matrix-org/matrix-rust-sdk/commit/4ea0418abefab2aa93f8851a4d39c723e703e6b0 https://rustsec.org/advisories/RUSTSEC-2025-0135.html |
| MarimerLLC–csla | CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations. | 2025-12-09 | not yet calculated | CVE-2025-66631 | https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v https://github.com/MarimerLLC/csla/issues/4001 https://github.com/MarimerLLC/csla/pull/4018 |
| Apache Software Foundation–Apache Struts | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It’s related to https://cve.org/CVERecord?id=CVE-2025-64775 – this CVE addresses missing affected version 6.7.4 | 2025-12-10 | not yet calculated | CVE-2025-66675 | https://cwiki.apache.org/confluence/display/WW/S2-068 https://cve.org/CVERecord?id=CVE-2025-64775 |
| n/a–edoc-doctor-appointment-system v1.0.1 | edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the “title” parameter. | 2025-12-11 | not yet calculated | CVE-2025-66918 | https://github.com/HashenUdara/edoc-doctor-appointment-system https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66918/readme.md |
| n/a–jshERP versions 3.5 and earlier | jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | 2025-12-12 | not yet calculated | CVE-2025-67341 | https://github.com/jishenghua/jshERP/issues/139 |
| n/a–RuoYi versions 4.8.1 and earlier | RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability. | 2025-12-12 | not yet calculated | CVE-2025-67342 | https://github.com/yangzongzhuan/RuoYi/issues/308 |
| n/a–jshERP v3.5 and earlier | jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. | 2025-12-12 | not yet calculated | CVE-2025-67344 | https://github.com/jishenghua/jshERP/issues/140 |
| QuantumCloud–Simple Link Directory | Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery. This issue affects Simple Link Directory: from n/a through <= 8.8.3. | 2025-12-09 | not yet calculated | CVE-2025-67465 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-8-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| sergiotrinity–Trinity Audio | Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trinity Audio: from n/a through <= 5.23.3. | 2025-12-09 | not yet calculated | CVE-2025-67466 | https://vdp.patchstack.com/database/Wordpress/Plugin/trinity-audio/vulnerability/wordpress-trinity-audio-plugin-5-23-3-broken-access-control-vulnerability?_s_id=cve |
| StellarWP–GiveWP | Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery. This issue affects GiveWP: from n/a through <= 4.13.1. | 2025-12-09 | not yet calculated | CVE-2025-67467 | https://vdp.patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| CRM Perks–Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms: from n/a through <= 1.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67468 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf7-salesforce/vulnerability/wordpress-integration-for-salesforce-and-contact-form-7-wpforms-elementor-formidable-ninja-forms-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve |
| kubiq–PDF Thumbnail Generator | Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery. This issue affects PDF Thumbnail Generator: from n/a through <= 1.4. | 2025-12-09 | not yet calculated | CVE-2025-67469 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-thumbnail-generator/vulnerability/wordpress-pdf-thumbnail-generator-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Essential Plugin–Portfolio and Projects | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Essential Plugin Portfolio and Projects portfolio-and-projects allows Retrieve Embedded Sensitive Data. This issue affects Portfolio and Projects: from n/a through <= 1.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67470 | https://vdp.patchstack.com/database/Wordpress/Plugin/portfolio-and-projects/vulnerability/wordpress-portfolio-and-projects-plugin-1-5-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| Saad Iqbal–Quick Contact Form | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery. This issue affects Quick Contact Form: from n/a through <= 8.2.5. | 2025-12-09 | not yet calculated | CVE-2025-67471 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-contact-form/vulnerability/wordpress-quick-contact-form-plugin-8-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| vcita–Online Booking & Scheduling Calendar for WordPress by vcita | Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67472 | https://vdp.patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| codeworkweb–CWW Companion | Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery. This issue affects CWW Companion: from n/a through <= 1.3.2. | 2025-12-09 | not yet calculated | CVE-2025-67473 | https://vdp.patchstack.com/database/Wordpress/Plugin/cww-companion/vulnerability/wordpress-cww-companion-plugin-1-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Ultimate Member–ForumWP | Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ForumWP: from n/a through <= 2.1.4. | 2025-12-09 | not yet calculated | CVE-2025-67474 | https://vdp.patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cve |
| static-web-server–static-web-server | Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1. | 2025-12-09 | not yet calculated | CVE-2025-67487 | https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2 |
| LabRedesCefetRJ–WeGIA | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain an SQL Injection vulnerability in the /html/matPat/editar_categoria.php endpoint. The application fails to properly validate and sanitize user inputs in the id_categoria parameter, which allows attackers to inject malicious SQL payloads for direct execution. This issue is fixed in version 3.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67501 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hj2x-qfm3-2869 https://github.com/LabRedesCefetRJ/WeGIA/commit/f04b91f584a38c2061a071b26219dba3f25819e6 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.5.5 |
| gardener–gardenctl-v2 | gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft malicious credential values. The forged credential values are used in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators. This issue is fixed in version 2.12.0. | 2025-12-12 | not yet calculated | CVE-2025-67508 | https://github.com/gardener/gardenctl-v2/security/advisories/GHSA-fw33-qpx7-rhx2 |
| FreePBX–security-reporting | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10. | 2025-12-10 | not yet calculated | CVE-2025-67513 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-426v-c5p7-cp29 |
| Mikado-Themes–Wilmr | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion. This issue affects Wilmër: from n/a through < 3.5. | 2025-12-09 | not yet calculated | CVE-2025-67515 | https://vdp.patchstack.com/database/Wordpress/Theme/wilmer/vulnerability/wordpress-wilmer-theme-3-5-local-file-inclusion-vulnerability?_s_id=cve |
| Agile Logix–Store Locator WordPress | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection. This issue affects Store Locator WordPress: from n/a through <= 1.6.2. | 2025-12-09 | not yet calculated | CVE-2025-67516 | https://vdp.patchstack.com/database/Wordpress/Plugin/agile-store-locator/vulnerability/wordpress-store-locator-wordpress-plugin-1-6-2-sql-injection-vulnerability?_s_id=cve |
| artplacer–ArtPlacer Widget | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection. This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2. | 2025-12-09 | not yet calculated | CVE-2025-67517 | https://vdp.patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-22-9-2-sql-injection-vulnerability?_s_id=cve |
| LambertGroup–Accordion Slider PRO | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2025-12-09 | not yet calculated | CVE-2025-67518 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-sql-injection-vulnerability?_s_id=cve |
| Shahjahan Jewel–Ninja Tables | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection. This issue affects Ninja Tables: from n/a through <= 5.2.3. | 2025-12-09 | not yet calculated | CVE-2025-67519 | https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-3-sql-injection-vulnerability?_s_id=cve |
| Tiny Solutions–Media Library Tools | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection. This issue affects Media Library Tools: from n/a through <= 1.6.15. | 2025-12-09 | not yet calculated | CVE-2025-67520 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-tools/vulnerability/wordpress-media-library-tools-plugin-1-6-15-sql-injection-vulnerability?_s_id=cve |
| Select-Themes–Select Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion. This issue affects Select Core: from n/a through < 2.6. | 2025-12-09 | not yet calculated | CVE-2025-67521 | https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| NooTheme–Jobmonster | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion. This issue affects Jobmonster: from n/a through <= 4.8.2. | 2025-12-09 | not yet calculated | CVE-2025-67522 | https://vdp.patchstack.com/database/Wordpress/Theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-8-2-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS–Exhibz | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion. This issue affects Exhibz: from n/a through <= 3.0.9. | 2025-12-09 | not yet calculated | CVE-2025-67523 | https://vdp.patchstack.com/database/Wordpress/Theme/exhibz/vulnerability/wordpress-exhibz-theme-3-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| NooTheme–Jobmonster Elementor Addon | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion. This issue affects Jobmonster Elementor Addon: from n/a through <= 1.1.4. | 2025-12-09 | not yet calculated | CVE-2025-67524 | https://vdp.patchstack.com/database/Wordpress/Plugin/jobmonster-addon/vulnerability/wordpress-jobmonster-elementor-addon-plugin-1-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| Opal_WP–ekommart | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion. This issue affects ekommart: from n/a through < 4.3.1. | 2025-12-09 | not yet calculated | CVE-2025-67525 | https://vdp.patchstack.com/database/Wordpress/Theme/ekommart/vulnerability/wordpress-ekommart-theme-4-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| ThimPress–Sailing | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion. This issue affects Sailing: from n/a through < 4.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67526 | https://vdp.patchstack.com/database/Wordpress/Theme/sailing/vulnerability/wordpress-sailing-theme-4-4-6-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS–Digiqole | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion. This issue affects Digiqole: from n/a through < 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-67527 | https://vdp.patchstack.com/database/Wordpress/Theme/digiqole/vulnerability/wordpress-digiqole-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Urna | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Urna urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through <= 2.5.12. | 2025-12-09 | not yet calculated | CVE-2025-67528 | https://vdp.patchstack.com/database/Wordpress/Theme/urna/vulnerability/wordpress-urna-theme-2-5-12-local-file-inclusion-vulnerability?_s_id=cve |
| Opal_WP–Fashion | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion. This issue affects Fashion: from n/a through < 5.3.0. | 2025-12-09 | not yet calculated | CVE-2025-67529 | https://vdp.patchstack.com/database/Wordpress/Theme/fashion2/vulnerability/wordpress-fashion-theme-5-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Besa | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Besa besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through <= 2.3.15. | 2025-12-09 | not yet calculated | CVE-2025-67530 | https://vdp.patchstack.com/database/Wordpress/Theme/besa/vulnerability/wordpress-besa-theme-2-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS–Turitor | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion. This issue affects Turitor: from n/a through < 1.5.3. | 2025-12-09 | not yet calculated | CVE-2025-67531 | https://vdp.patchstack.com/database/Wordpress/Theme/turitor/vulnerability/wordpress-turitor-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Hara | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Hara hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through <= 1.2.17. | 2025-12-09 | not yet calculated | CVE-2025-67532 | https://vdp.patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability?_s_id=cve |
| themifyme–Themify Portfolio Post | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS. This issue affects Themify Portfolio Post: from n/a through <= 1.3.0. | 2025-12-09 | not yet calculated | CVE-2025-67533 | https://vdp.patchstack.com/database/Wordpress/Plugin/themify-portfolio-post/vulnerability/wordpress-themify-portfolio-post-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jacques Malgrange–Rencontre | Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS. This issue affects Rencontre: from n/a through <= 3.13.7. | 2025-12-09 | not yet calculated | CVE-2025-67534 | https://vdp.patchstack.com/database/Wordpress/Plugin/rencontre/vulnerability/wordpress-rencontre-plugin-3-13-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WePlugins – WordPress Development Company–WP Maps | Deserialization of Untrusted Data vulnerability in WePlugins – WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection. This issue affects WP Maps: from n/a through <= 4.8.6. | 2025-12-09 | not yet calculated | CVE-2025-67535 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-map-plugin/vulnerability/wordpress-wp-maps-plugin-4-8-6-php-object-injection-vulnerability?_s_id=cve |
| ThimPress–LearnPress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThimPress LearnPress learnpress allows Stored XSS. This issue affects LearnPress: from n/a through <= 4.2.9.4. | 2025-12-09 | not yet calculated | CVE-2025-67536 | https://vdp.patchstack.com/database/Wordpress/Plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-2-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Blair Williams–ThirstyAffiliates | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS. This issue affects ThirstyAffiliates: from n/a through <= 3.11.8. | 2025-12-09 | not yet calculated | CVE-2025-67537 | https://vdp.patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme–JNews Gallery | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS. This issue affects JNews Gallery: from n/a through < 12.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67538 | https://vdp.patchstack.com/database/Wordpress/Plugin/jnews-gallery/vulnerability/wordpress-jnews-gallery-plugin-12-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Select-Themes–Select Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Select-Themes Select Core select-core allows DOM-Based XSS. This issue affects Select Core: from n/a through < 2.6. | 2025-12-09 | not yet calculated | CVE-2025-67539 | https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wealcoder–Animation Addons for Elementor | Missing Authorization vulnerability in Wealcoder Animation Addons for Elementor animation-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Animation Addons for Elementor: from n/a through <= 2.4.5. | 2025-12-09 | not yet calculated | CVE-2025-67540 | https://vdp.patchstack.com/database/Wordpress/Plugin/animation-addons-for-elementor/vulnerability/wordpress-animation-addons-for-elementor-plugin-2-4-5-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Lester Chan–WP-ShowHide | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS. This issue affects WP-ShowHide: from n/a through <= 1.05. | 2025-12-09 | not yet calculated | CVE-2025-67541 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-showhide/vulnerability/wordpress-wp-showhide-plugin-1-05-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SilkyPress–Multi-Step Checkout for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS. This issue affects Multi-Step Checkout for WooCommerce: from n/a through <= 2.33. | 2025-12-09 | not yet calculated | CVE-2025-67542 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-multi-step-checkout/vulnerability/wordpress-multi-step-checkout-for-woocommerce-plugin-2-33-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Catch Themes–Essential Widgets | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS. This issue affects Essential Widgets: from n/a through <= 2.2.2. | 2025-12-09 | not yet calculated | CVE-2025-67543 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-widgets/vulnerability/wordpress-essential-widgets-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Get Bowtied–Shopkeeper Extender | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS. This issue affects Shopkeeper Extender: from n/a through < 7.0. | 2025-12-09 | not yet calculated | CVE-2025-67544 | https://vdp.patchstack.com/database/Wordpress/Plugin/shopkeeper-extender/vulnerability/wordpress-shopkeeper-extender-plugin-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FirePlugins–FireBox | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in FirePlugins FireBox firebox allows Stored XSS. This issue affects FireBox: from n/a through <= 3.1.0-free. | 2025-12-09 | not yet calculated | CVE-2025-67545 | https://vdp.patchstack.com/database/Wordpress/Plugin/firebox/vulnerability/wordpress-firebox-plugin-3-1-0-free-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Delicious–WP Delicious | Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Delicious: from n/a through <= 1.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67548 | https://vdp.patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve |
| bobbingwide–oik | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in bobbingwide oik oik allows DOM-Based XSS. This issue affects oik: from n/a through <= 4.15.3. | 2025-12-09 | not yet calculated | CVE-2025-67549 | https://vdp.patchstack.com/database/Wordpress/Plugin/oik/vulnerability/wordpress-oik-plugin-4-15-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| rhewlif–Donation Thermometer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS. This issue affects Donation Thermometer: from n/a through <= 2.2.6. | 2025-12-09 | not yet calculated | CVE-2025-67550 | https://vdp.patchstack.com/database/Wordpress/Plugin/donation-thermometer/vulnerability/wordpress-donation-thermometer-plugin-2-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wappointment team–Wappointment | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Wappointment team Wappointment wappointment allows Stored XSS. This issue affects Wappointment: from n/a through <= 2.6.9. | 2025-12-09 | not yet calculated | CVE-2025-67551 | https://vdp.patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-6-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WalkerWP–Walker Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS. This issue affects Walker Core: from n/a through <= 1.3.17. | 2025-12-09 | not yet calculated | CVE-2025-67552 | https://vdp.patchstack.com/database/Wordpress/Plugin/walker-core/vulnerability/wordpress-walker-core-plugin-1-3-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeHigh–Advanced FAQ Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS. This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | 2025-12-09 | not yet calculated | CVE-2025-67553 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-faq-manager/vulnerability/wordpress-advanced-faq-manager-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Humanityco–Cookie Notice & Compliance for GDPR / CCPA | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS. This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8. | 2025-12-09 | not yet calculated | CVE-2025-67554 | https://vdp.patchstack.com/database/Wordpress/Plugin/cookie-notice/vulnerability/wordpress-cookie-notice-compliance-for-gdpr-ccpa-plugin-2-5-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| useStrict–UseStrict’s Calendly Embedder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in useStrict UseStrict's Calendly Embedder cal-embedder-lite allows Stored XSS. This issue affects UseStrict's Calendly Embedder: from n/a through <= 1.1.7.2. | 2025-12-09 | not yet calculated | CVE-2025-67555 | https://vdp.patchstack.com/database/Wordpress/Plugin/cal-embedder-lite/vulnerability/wordpress-usestrict-s-calendly-embedder-plugin-1-1-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeHigh–Advanced FAQ Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows Stored XSS. This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | 2025-12-09 | not yet calculated | CVE-2025-67556 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-faq-manager/vulnerability/wordpress-advanced-faq-manager-plugin-1-5-2-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| Rhys Wynne–WP eBay Product Feeds | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS. This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9. | 2025-12-09 | not yet calculated | CVE-2025-67557 | https://vdp.patchstack.com/database/Wordpress/Plugin/ebay-feeds-for-wordpress/vulnerability/wordpress-wp-ebay-product-feeds-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jacques Malgrange–Rencontre | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS. This issue affects Rencontre: from n/a through <= 3.13.7. | 2025-12-09 | not yet calculated | CVE-2025-67558 | https://vdp.patchstack.com/database/Wordpress/Plugin/rencontre/vulnerability/wordpress-rencontre-plugin-3-13-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| vcita–Online Booking & Scheduling Calendar for WordPress by vcita | Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67559 | https://vdp.patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-broken-access-control-vulnerability?_s_id=cve |
| Webilia Inc.–Listdom | Missing Authorization vulnerability in Webilia Inc. Listdom listdom allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listdom: from n/a through <= 5.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67560 | https://vdp.patchstack.com/database/Wordpress/Plugin/listdom/vulnerability/wordpress-listdom-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve |
| Oleksandr Lysyi–Debug Log Viewer | Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Log Viewer: from n/a through <= 2.0.3. | 2025-12-09 | not yet calculated | CVE-2025-67561 | https://vdp.patchstack.com/database/Wordpress/Plugin/debug-log-viewer/vulnerability/wordpress-debug-log-viewer-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| WebCodingPlace–Image Caption Hover Pro | Missing Authorization vulnerability in WebCodingPlace Image Caption Hover Pro image-caption-hover-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Caption Hover Pro: from n/a through < 20.0. | 2025-12-09 | not yet calculated | CVE-2025-67562 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-caption-hover-pro/vulnerability/wordpress-image-caption-hover-pro-plugin-20-0-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal–Post SMTP | Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post SMTP: from n/a through <= 3.6.1. | 2025-12-09 | not yet calculated | CVE-2025-67563 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-smtp/vulnerability/wordpress-post-smtp-plugin-3-6-1-broken-access-control-vulnerability?_s_id=cve |
| alekv–Pixel Manager for WooCommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in alekv Pixel Manager for WooCommerce woocommerce-google-adwords-conversion-tracking-tag allows Retrieve Embedded Sensitive Data. This issue affects Pixel Manager for WooCommerce: from n/a through <= 1.51.1. | 2025-12-09 | not yet calculated | CVE-2025-67564 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-google-adwords-conversion-tracking-tag/vulnerability/wordpress-pixel-manager-for-woocommerce-plugin-1-51-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| sizam–Rehub | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam Rehub rehub-theme allows Retrieve Embedded Sensitive Data. This issue affects Rehub: from n/a through <= 19.9.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67565 | https://vdp.patchstack.com/database/Wordpress/Theme/rehub-theme/vulnerability/wordpress-rehub-theme-19-9-9-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| WofficeIO–Woffice Core | Missing Authorization vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice Core: from n/a through <= 5.4.30. | 2025-12-09 | not yet calculated | CVE-2025-67566 | https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-broken-access-control-vulnerability?_s_id=cve |
| uixthemes–Sober | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in uixthemes Sober sober allows Retrieve Embedded Sensitive Data. This issue affects Sober: from n/a through <= 3.5.11. | 2025-12-09 | not yet calculated | CVE-2025-67567 | https://vdp.patchstack.com/database/Wordpress/Theme/sober/vulnerability/wordpress-sober-theme-3-5-11-sensitive-data-exposure-vulnerability?_s_id=cve |
| xtemos–Basel | Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Basel: from n/a through <= 5.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67568 | https://vdp.patchstack.com/database/Wordpress/Theme/basel/vulnerability/wordpress-basel-theme-5-9-1-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle–AdForest | Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AdForest: from n/a through <= 6.0.11. | 2025-12-09 | not yet calculated | CVE-2025-67569 | https://vdp.patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-broken-access-control-vulnerability?_s_id=cve |
| GSheetConnector by WesternDeal–WPForms Google Sheet Connector | Missing Authorization vulnerability in GSheetConnector by WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.0. | 2025-12-09 | not yet calculated | CVE-2025-67570 | https://vdp.patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-0-broken-access-control-vulnerability?_s_id=cve |
| WPFunnels–WPFunnels | Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPFunnels: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-67571 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpfunnels/vulnerability/wordpress-wpfunnels-plugin-3-6-2-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign–PenNews | Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PenNews: from n/a through < 6.7.4. | 2025-12-09 | not yet calculated | CVE-2025-67572 | https://vdp.patchstack.com/database/Wordpress/Theme/pennews/vulnerability/wordpress-pennews-theme-6-7-4-broken-access-control-vulnerability?_s_id=cve |
| ThimPress–Sailing | Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sailing: from n/a through < 4.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67573 | https://vdp.patchstack.com/database/Wordpress/Theme/sailing/vulnerability/wordpress-sailing-theme-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpdevart–Booking calendar, Appointment Booking System | Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30. | 2025-12-09 | not yet calculated | CVE-2025-67574 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-calendar/vulnerability/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-30-broken-access-control-vulnerability?_s_id=cve |
| Andrew Lima–Sitewide Notice WP | Missing Authorization vulnerability in Andrew Lima Sitewide Notice WP sitewide-notice-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sitewide Notice WP: from n/a through <= 2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67575 | https://vdp.patchstack.com/database/Wordpress/Plugin/sitewide-notice-wp/vulnerability/wordpress-sitewide-notice-wp-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| QuantumCloud–Simple Link Directory | Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Link Directory: from n/a through <= 8.8.3. | 2025-12-09 | not yet calculated | CVE-2025-67576 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-8-8-3-broken-access-control-vulnerability?_s_id=cve |
| hassantafreshi–Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.8.20. | 2025-12-09 | not yet calculated | CVE-2025-67577 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-8-20-broken-access-control-vulnerability?_s_id=cve |
| Rhys Wynne–WP Email Capture | Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Email Capture: from n/a through <= 3.12.4. | 2025-12-09 | not yet calculated | CVE-2025-67578 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-4-broken-access-control-vulnerability?_s_id=cve |
| vanquish–User Extra Fields | Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Extra Fields: from n/a through <= 16.8. | 2025-12-09 | not yet calculated | CVE-2025-67579 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-user-extra-fields/vulnerability/wordpress-user-extra-fields-plugin-16-8-broken-access-control-vulnerability?_s_id=cve |
| Constant Contact–Constant Contact + WooCommerce | Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67580 | https://vdp.patchstack.com/database/Wordpress/Plugin/constant-contact-woocommerce/vulnerability/wordpress-constant-contact-woocommerce-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| themetechmount–TrueBooker | Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TrueBooker: from n/a through <= 1.1.0. | 2025-12-09 | not yet calculated | CVE-2025-67581 | https://vdp.patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-0-broken-access-control-vulnerability?_s_id=cve |
| wbcomdesigns–Wbcom Designs | Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wbcom Designs: from n/a through <= 2.1.1. | 2025-12-09 | not yet calculated | CVE-2025-67582 | https://vdp.patchstack.com/database/Wordpress/Plugin/lock-my-bp/vulnerability/wordpress-wbcom-designs-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| ThemeAtelier–IDonate | Missing Authorization vulnerability in ThemeAtelier IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects IDonate: from n/a through <= 2.1.15. | 2025-12-09 | not yet calculated | CVE-2025-67583 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate/vulnerability/wordpress-idonate-plugin-2-1-15-broken-access-control-vulnerability?_s_id=cve |
| rtCamp–GoDAM | Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GoDAM: from n/a through <= 1.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67584 | https://vdp.patchstack.com/database/Wordpress/Plugin/godam/vulnerability/wordpress-godam-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve |
| flexmls–Flexmls IDX | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing. This issue affects Flexmls® IDX: from n/a through <= 3.15.7. | 2025-12-09 | not yet calculated | CVE-2025-67585 | https://vdp.patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-7-open-redirection-vulnerability?_s_id=cve |
| Ronald Huereca–Highlight and Share | Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Highlight and Share: from n/a through <= 5.2.0. | 2025-12-09 | not yet calculated | CVE-2025-67586 | https://vdp.patchstack.com/database/Wordpress/Plugin/highlight-and-share/vulnerability/wordpress-highlight-and-share-plugin-5-2-0-broken-access-control-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms FreshDesk Plugin | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing. This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5. | 2025-12-09 | not yet calculated | CVE-2025-67587 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-open-redirection-vulnerability?_s_id=cve |
| Elementor–Elementor Website Builder | Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through <= 3.33.0. | 2025-12-09 | not yet calculated | CVE-2025-67588 | https://vdp.patchstack.com/database/Wordpress/Plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-3-33-0-broken-access-control-vulnerability?_s_id=cve |
| WP Overnight–WooCommerce PDF Invoices & Packing Slips | Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67589 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-pdf-invoices-packing-slips/vulnerability/wordpress-woocommerce-pdf-invoices-packing-slips-plugin-4-9-1-broken-access-control-vulnerability?_s_id=cve |
| Rustaurius–Ultimate FAQ | Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate FAQ ultimate-faqs allows Cross Site Request Forgery. This issue affects Ultimate FAQ: from n/a through <= 2.4.3. | 2025-12-09 | not yet calculated | CVE-2025-67590 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-faqs/vulnerability/wordpress-ultimate-faq-plugin-2-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| jegtheme–JNews Paywall | Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery. This issue affects JNews Paywall: from n/a through < 12.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67591 | https://vdp.patchstack.com/database/Wordpress/Plugin/jnews-paywall/vulnerability/wordpress-jnews-paywall-plugin-12-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joe Dolson–My Calendar | Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects My Calendar: from n/a through <= 3.6.16. | 2025-12-09 | not yet calculated | CVE-2025-67592 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-calendar/vulnerability/wordpress-my-calendar-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve |
| Stiofan–UsersWP | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.48. | 2025-12-09 | not yet calculated | CVE-2025-67593 | https://vdp.patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-48-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThimPress–Thim Elementor Kit | Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Elementor Kit: from n/a through <= 1.3.3. | 2025-12-09 | not yet calculated | CVE-2025-67594 | https://vdp.patchstack.com/database/Wordpress/Plugin/thim-elementor-kit/vulnerability/wordpress-thim-elementor-kit-plugin-1-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ays Pro–Quiz Maker | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery. This issue affects Quiz Maker: from n/a through <= 6.7.0.82. | 2025-12-09 | not yet calculated | CVE-2025-67595 | https://vdp.patchstack.com/database/Wordpress/Plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-82-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team–Business Directory | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery. This issue affects Business Directory: from n/a through <= 6.4.19. | 2025-12-09 | not yet calculated | CVE-2025-67596 | https://vdp.patchstack.com/database/Wordpress/Plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-19-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Shahjahan Jewel–Fluent Booking | Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fluent Booking: from n/a through <= 1.9.11. | 2025-12-09 | not yet calculated | CVE-2025-67597 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-booking/vulnerability/wordpress-fluent-booking-plugin-1-9-11-broken-access-control-vulnerability?_s_id=cve |
| PSM Plugins–SupportCandy | Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery. This issue affects SupportCandy: from n/a through <= 3.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67598 | https://vdp.patchstack.com/database/Wordpress/Plugin/supportcandy/vulnerability/wordpress-supportcandy-plugin-3-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WebToffee–WebToffee eCommerce Marketing Automation | Missing Authorization vulnerability in WebToffee WebToffee eCommerce Marketing Automation decorator-woocommerce-email-customizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebToffee eCommerce Marketing Automation: from n/a through <= 2.1.1. | 2025-12-09 | not yet calculated | CVE-2025-67599 | https://vdp.patchstack.com/database/Wordpress/Plugin/decorator-woocommerce-email-customizer/vulnerability/wordpress-webtoffee-ecommerce-marketing-automation-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| Jenkins Project–Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. | 2025-12-10 | not yet calculated | CVE-2025-67635 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins | A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. | 2025-12-10 | not yet calculated | CVE-2025-67636 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-12-10 | not yet calculated | CVE-2025-67637 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-12-10 | not yet calculated | CVE-2025-67638 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker’s account. | 2025-12-10 | not yet calculated | CVE-2025-67639 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins Git client Plugin | Jenkins Git client Plugin 6.4.0 and earlier does not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands. | 2025-12-10 | not yet calculated | CVE-2025-67640 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins Coverage Plugin | Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability. | 2025-12-10 | not yet calculated | CVE-2025-67641 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins HashiCorp Vault Plugin | Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. | 2025-12-10 | not yet calculated | CVE-2025-67642 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project–Jenkins Redpen – Pipeline Reporter for Jira Plugin | Jenkins Redpen – Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory. | 2025-12-10 | not yet calculated | CVE-2025-67643 | Jenkins Security Advisory 2025-12-10 |
| miniflux–v2 | Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(…).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15. | 2025-12-11 | not yet calculated | CVE-2025-67713 | https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9 https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7 |
| zitadel–zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2. | 2025-12-11 | not yet calculated | CVE-2025-67717 | https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c |
| formio–formio | Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3. | 2025-12-11 | not yet calculated | CVE-2025-67718 | https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7 https://github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478 |
| ibexa–user | Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4. | 2025-12-11 | not yet calculated | CVE-2025-67719 | https://github.com/ibexa/user/security/advisories/GHSA-x93p-w2ch-fg67 https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4 https://developers.ibexa.co/security-advisories/ibexa-sa-2025-005-password-change-and-xss-vulnerabilities-in-back-office |
| airlift–aircompressor | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4. | 2025-12-12 | not yet calculated | CVE-2025-67721 | https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15 https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765 |
| parse-community–parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository’s CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe. | 2025-12-12 | not yet calculated | CVE-2025-67727 | https://github.com/parse-community/parse-server/security/advisories/GHSA-6w8g-mgvv-3fcj https://github.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d https://github.com/parse-community/parse-server/commit/e3d27fea08c8d8bdd9770a689bc2d757cda48b66 |
| frappe–lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0. | 2025-12-12 | not yet calculated | CVE-2025-67730 | https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2 https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c |
| Aarondoran–servify-express | Servify Express is a Node.js package to start an Express server and log the port it’s running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes. | 2025-12-12 | not yet calculated | CVE-2025-67731 | https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7m https://github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61 https://github.com/Aarondoran/servify-express/releases/tag/V1.2 |
| frappe–lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0. | 2025-12-12 | not yet calculated | CVE-2025-67734 | https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7 https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632 |
| PCSX2–pcsx2 | PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. In versions 2.5.377 and below, an unchecked offset and size used in a memcpy operation inside PCSX2’s CDVD SCMD 0x91 and SCMD 0x8F handlers allow a specially crafted disc image or ELF to cause an out-of-bounds read from emulator memory. Because the offset and size is controlled through MG header fields, a specially crafted ELF can read data beyond the bounds of mg_buffer and have it reflected back into emulated memory. This issue is fixed in version 2.5.378. | 2025-12-12 | not yet calculated | CVE-2025-67749 | https://github.com/PCSX2/pcsx2/security/advisories/GHSA-69wg-97fx-8j5w https://github.com/PCSX2/pcsx2/commit/0b73eabd9ac19a5e290e7bee48d15be24e7b7d1b https://github.com/PCSX2/pcsx2/releases/tag/v2.5.378 |
| n/a–Weaviate OSS before 1.33.4. | An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/…) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application’s privilege scope. | 2025-12-12 | not yet calculated | CVE-2025-67818 | https://github.com/weaviate/weaviate https://weaviate.io/blog/weaviate-security-release-november-2025 |
| n/a–Weaviate OSS before 1.33.4. | An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the “Pause file activity” state and the FileReplicationService is reachable can read arbitrary files accessible to the service process. | 2025-12-12 | not yet calculated | CVE-2025-67819 | https://github.com/weaviate/weaviate https://weaviate.io/blog/weaviate-security-release-november-2025 |
| Bitdefender–Total Security | A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:ProgramDataAtcFeedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user. | 2025-12-10 | not yet calculated | CVE-2025-7073 | https://www.bitdefender.com/support/security-advisories/local-privilege-escalation-via-arbitrary-file-operation-in-bitdefender-atc-va-12590 |
| Gogs–Gogs | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | 2025-12-10 | not yet calculated | CVE-2025-8110 | http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit |
| TECNO–com.transsion.audiosmartconnect | Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. | 2025-12-10 | not yet calculated | CVE-2025-9056 | https://security.tecno.com/SRC/securityUpdates |
| Unknown–WPS Visitor Counter Plugin | The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | 2025-12-13 | not yet calculated | CVE-2025-9116 | https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/ |
| Moxa–MXsecurity Series | An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted JSON payload to the device’s registration endpoint /api/v1/devices/register, allowing the attacker to register unauthorized devices without authentication. Although exploiting this vulnerability has limited modification of data, there is no impact to the confidentiality and availability of the affected device, as well as no loss of confidentiality, integrity, and availability within any subsequent systems. | 2025-12-10 | not yet calculated | CVE-2025-9315 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-252631-cve-2025-9315-unauthenticated-device-registration-vulnerability-in-mxsecurity-series |
| Rockwell Automation–432ES-IG3 Series A | A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device. | 2025-12-09 | not yet calculated | CVE-2025-9368 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1764.html |
| Google Cloud–Cloud Data Fusion | A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+ Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases . | 2025-12-10 | not yet calculated | CVE-2025-9571 | https://docs.cloud.google.com/support/bulletins#gcp-2025-076 |
| PCI-SIG–PCI Express Integrity and Data Encryption (PCIe IDE) Specification | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection. This can enable local or physical attackers on the PCIe bus to violate data integrity protections. | 2025-12-09 | not yet calculated | CVE-2025-9612 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| PCI-SIG–PCI Express Integrity and Data Encryption (PCIe IDE) Specification | A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This tag aliasing condition can result in completions being delivered to the wrong security context, potentially compromising data integrity and confidentiality. | 2025-12-09 | not yet calculated | CVE-2025-9613 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| PCI-SIG–PCI Express Integrity and Data Encryption (PCIe IDE) Specification | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context to be processed in a new one. This can lead to unintended data access across trusted domains, compromising confidentiality and integrity. | 2025-12-09 | not yet calculated | CVE-2025-9614 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| Portabilis–i-Educar | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint. This issue affects i-Educar: 2.10.0. | 2025-12-09 | not yet calculated | CVE-2025-9638 | https://fluidattacks.com/advisories/travis https://github.com/portabilis/i-educar |