High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Cisco–Cisco Secure Email | Cisco is aware of a potential vulnerability. Cisco is currently investigating and will update these details as appropriate as more information becomes available. | 2025-12-17 | 10 | CVE-2025-20393 | cisco-sa-sma-attack-N9bf4 |
| Hewlett Packard Enterprise (HPE)–HPE OneView | A remote code execution issue exists in HPE OneView. | 2025-12-16 | 10 | CVE-2025-37164 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn4985en_us&docLocale=en_US |
| smallstep–Step-CA | An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | 2025-12-17 | 10 | CVE-2025-44005 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242 https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM’s setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue. | 2025-12-17 | 10 | CVE-2025-62521 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3 |
| Microsoft–Azure Container Apps | Improper control of generation of code (‘code injection’) in Azure Container Apps allows an unauthorized attacker to execute code over a network. | 2025-12-18 | 10 | CVE-2025-65037 | Azure Container Apps Remote Code Execution Vulnerability |
| Microsoft–Microsoft Partner Center | Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network. | 2025-12-18 | 10 | CVE-2025-65041 | Microsoft Partner Center Elevation of Privilege Vulnerability |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue. | 2025-12-17 | 10 | CVE-2025-68110 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures. | 2025-12-19 | 10 | CVE-2025-68613 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 |
| Dulldusk–phpfm | phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server. | 2025-12-16 | 9.8 | CVE-2023-53894 | ExploitDB-51594 phpFileManager Product Webpage VulnCheck Advisory: phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability |
| Pimpmylog–PimpMyLog | PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables. | 2025-12-16 | 9.8 | CVE-2023-53895 | ExploitDB-51593 Pimp My Log Product Webpage Pimp My Log GitHub Repository VulnCheck Advisory: PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint |
| Unknown–Unknown | PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the ‘shortdesc’ parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation. | 2025-12-16 | 9.8 | CVE-2023-53899 | ExploitDB-51565 Podcast Generator Product Homepage Podcast Generator GitHub Repository VulnCheck Advisory: PodcastGenerator 3.2.9 Blind Server-Side Request Forgery via XML Injection |
| ulicms–Ulicms | UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access. | 2025-12-17 | 9.8 | CVE-2023-53914 | ExploitDB-51486 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability |
| Sitemagic–SitemagicCMS | SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands. | 2025-12-17 | 9.8 | CVE-2023-53921 | ExploitDB-51464 Official Product Webpage VulnCheck Advisory: SitemagicCMS 4.4.3 Remote Code Execution via Unrestricted File Upload |
| TinyWebGallery–TinyWebGallery | TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file’s URL. | 2025-12-17 | 9.8 | CVE-2023-53922 | ExploitDB-51443 Official Product Webpage VulnCheck Advisory: TinyWebGallery v2.5 Remote Code Execution via Unrestricted File Upload |
| Ulicms–Ulicms | UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access. | 2025-12-17 | 9.8 | CVE-2023-53923 | ExploitDB-51433 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Privilege Escalation via Unauthenticated Admin Account Creation |
| PHPJabbers–Simple CMS | PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the ‘column’ parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the ‘column’ parameter in the index.php endpoint to potentially extract or modify database information. | 2025-12-17 | 9.8 | CVE-2023-53926 | ExploitDB-51416 Official Product Homepage VulnCheck Advisory: PHPJabbers Simple CMS 5.0 SQL Injection via Column Parameter |
| projectSend–projectSend | ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user’s private files by changing the ‘id’ parameter in the download request to process.php. | 2025-12-17 | 9.8 | CVE-2023-53930 | ExploitDB-51400 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability |
| Easyphp–EasyPHP Webserver | EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges. | 2025-12-18 | 9.8 | CVE-2023-53941 | ExploitDB-51430 Official Product Homepage VulnCheck Advisory: EasyPHP Webserver 14.1 Remote Code Execution |
| cat03–Lilac-Reloaded | Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint. | 2025-12-19 | 9.8 | CVE-2023-53948 | ExploitDB-51374 Official Product Homepage VulnCheck Advisory: Lilac-Reloaded for Nagios 2.0.8 Remote Code Execution via Autodiscovery |
| innovastudio–WYSIWYG Editor | InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | 2025-12-19 | 9.8 | CVE-2023-53950 | ExploitDB-51362 Official Vendor Homepage VulnCheck Advisory: InnovaStudio WYSIWYG Editor 5.4 Unrestricted File Upload via Filename Manipulation |
| Gauzy–ever gauzy | Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions. | 2025-12-19 | 9.8 | CVE-2023-53951 | ExploitDB-51354 Official Product Homepage VulnCheck Advisory: Ever Gauzy v0.281.9 JWT Authentication Weakness via HMAC Secret |
| Kimai–Kimai | Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking. | 2025-12-19 | 9.8 | CVE-2023-53957 | ExploitDB-51278 Official Product Homepage VulnCheck Advisory: Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking |
| filezilla-project–FileZilla Client | FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve remote code execution when the application launches. | 2025-12-19 | 9.8 | CVE-2023-53959 | ExploitDB-51267 Official Product Homepage VulnCheck Advisory: FileZilla Client 3.63.1 DLL Hijacking via Missing TextShaping.dll |
| Palantir–com.palantir.gotham:glutton | Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances | 2025-12-19 | 9.1 | CVE-2024-49587 | https://palantir.safebase.us/?tcuUid=95e2d805-dd2f-4544-b164-e61100f47b11 |
| snowray–File Uploader for WooCommerce | The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the ‘add-image-data’ REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site’s server which may make remote code execution possible. | 2025-12-20 | 9.8 | CVE-2025-13329 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da0f0e1a-bbf8-42a5-b330-b53134488ebd?source=cve https://wordpress.org/plugins/file-uploader-for-woocommerce/ |
| CMSSuperHeroes–Flex Store Users | The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the ‘fsUserHandle::signup’ and the ‘fsSellerRole::add_role_seller’ functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the ‘fs_type’ parameter if the Flex Store Seller plugin is also activated. | 2025-12-20 | 9.8 | CVE-2025-13619 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930 |
| Red Hat–Red Hat OpenShift GitOps 1.16 | A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster. | 2025-12-15 | 9.1 | CVE-2025-13888 | RHSA-2025:23203 RHSA-2025:23206 RHSA-2025:23207 https://access.redhat.com/security/cve/CVE-2025-13888 RHBZ#2418361 |
| ays-pro–Fox LMS WordPress LMS Plugin | The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the ‘role’ parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise. | 2025-12-15 | 9.8 | CVE-2025-14156 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de4f8d45-9522-4a32-bc98-be8dbf3a5cf1?source=cve https://plugins.trac.wordpress.org/changeset?old_path=%2Ffox-lms%2Ftags%2F1.0.5.0%2Fincludes%2Frest%2FPayments.php&new_path=%2Ffox-lms%2Ftags%2F1.0.5.2%2Fincludes%2Frest%2FPayments.php |
| Arcadia Technology, LLC–Crafty Controller | An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection. | 2025-12-17 | 9.9 | CVE-2025-14700 | GitLab Issue #646 |
| Shiguangwu–sgwbox N3 | A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14705 | VDB-336422 | Shiguangwu sgwbox N3 SHARESERVER Feature command injection VDB-336422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706974 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a80d69da5d6d17456a183?source=copy_link |
| Shiguangwu–sgwbox N3 | A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14706 | VDB-336423 | Shiguangwu sgwbox N3 NETREBOOT http_eshell_server command injection VDB-336423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706975 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a807cb619f9d2e1bcda20?source=copy_link |
| Shiguangwu–sgwbox N3 | A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. Performing manipulation of the argument params results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14707 | VDB-336424 | Shiguangwu sgwbox N3 DOCKER Feature http_eshell_server command injection VDB-336424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706976 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a805f9b94f7b8799c77a8?source=copy_link |
| Shiguangwu–sgwbox N3 | A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14708 | VDB-336425 | Shiguangwu sgwbox N3 WIREDCFGGET http_eshell_server buffer overflow VDB-336425 | CTI Indicators (IOB, IOC, IOA) Submit #706977 | sgwbox N3 NAS V2.0.25 Buffer Overflow https://www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a808b9f71fe434929c73b?source=copy_link |
| Shiguangwu–sgwbox N3 | A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14709 | VDB-336426 | Shiguangwu sgwbox N3 WIRELESSCFGGET http_eshell_server buffer overflow VDB-336426 | CTI Indicators (IOB, IOC, IOA) Submit #706989 | sgwbox N3 NAS V2.0.25 Buffer Overflow https://www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a80258b82dee0d6d1ebd1?source=copy_link |
| Tenda–WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-18 | 9.8 | CVE-2025-14878 | VDB-337369 | Tenda WH450 HTTP Request wirelessRestart stack-based overflow VDB-337369 | CTI Indicators (IOB, IOC, IOA) Submit #715357 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/wirelessRestart/wirelessRestart.md https://www.tenda.com.cn/ |
| Tenda–WH450 | A weakness has been identified in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/onSSIDChange of the component HTTP Request Handler. This manipulation of the argument ssid_index causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-18 | 9.8 | CVE-2025-14879 | VDB-337370 | Tenda WH450 HTTP Request onSSIDChange stack-based overflow VDB-337370 | CTI Indicators (IOB, IOC, IOA) Submit #715362 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/onSSIDChange/onSSIDChange.md https://www.tenda.com.cn/ |
| TOTOLINK–T10 | A vulnerability has been found in TOTOLINK T10 4.1.8cu.5083_B20200521. This affects the function sprintf of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument loginAuthUrl leads to stack-based buffer overflow. The attack may be performed from remote. | 2025-12-19 | 9.8 | CVE-2025-14964 | VDB-337599 | TOTOLINK T10 cstecgi.cgi sprintf stack-based overflow VDB-337599 | CTI Indicators (IOB, IOC, IOA) Submit #717720 | TOTOLINK T10 V2_Firmware V4.1.8cu.5083_B20200521 Buffer Overflow https://github.com/JackWesleyy/CVE/blob/main/TOTOLINK_T10_BOC.md https://www.totolink.net/ |
| Restajet Information Technologies Inc.–Online Food Delivery System | Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 9.1 | CVE-2025-1928 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| NVIDIA–Isaac Lab | NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | 2025-12-16 | 9 | CVE-2025-33210 | https://nvd.nist.gov/vuln/detail/CVE-2025-33210 https://www.cve.org/CVERecord?id=CVE-2025-33210 https://nvidia.custhelp.com/app/answers/detail/a_id/5733 |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. | 2025-12-18 | 9 | CVE-2025-47372 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| AmentoTech–Tuturn | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6. | 2025-12-18 | 9.8 | CVE-2025-64236 | https://vdp.patchstack.com/database/wordpress/plugin/tuturn/vulnerability/wordpress-tuturn-plugin-3-6-broken-authentication-vulnerability?_s_id=cve |
| Microsoft–Azure Cognitive Service for Language | Custom Question Answering Elevation of Privilege Vulnerability | 2025-12-18 | 9.9 | CVE-2025-64663 | Custom Question Answering Elevation of Privilege Vulnerability |
| OpenAgentPlatform–Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim’s machine when the node is clicked. Version 0.11.1 fixes the issue. | 2025-12-19 | 9.7 | CVE-2025-66580 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2 |
| ThinkInAIXYZ–deepchat | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer to the DOM, this Cross-Site Scripting (XSS) flaw escalates to full Remote Code Execution (RCE), allowing an attacker to execute arbitrary system commands. Two concurrent issues, unsafe Mermaid configuration and an exposed IPC interface, cause this issue. Version 0.5.3 contains a patch. | 2025-12-16 | 9.7 | CVE-2025-67744 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-w8w8-82pv-5rg9 https://github.com/ThinkInAIXYZ/deepchat/commit/b179d97921af04a0ae1ae68757338dd8b8cbefe7 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | 2025-12-17 | 9.1 | CVE-2025-68109 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM’s Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue. | 2025-12-17 | 9.6 | CVE-2025-68112 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq |
| openedx–edx-platform | The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue. | 2025-12-16 | 9.9 | CVE-2025-68270 | https://github.com/openedx/edx-platform/security/advisories/GHSA-rh64-vc2h-7wfj https://github.com/openedx/edx-platform/pull/37772 https://github.com/openedx/edx-platform/pull/37773 https://github.com/openedx/edx-platform/commit/05d0d0936daf82c476617257aa6c35f0cd4ca060 |
| WeblateOrg–weblate | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | 2025-12-18 | 9.1 | CVE-2025-68398 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3 https://github.com/WeblateOrg/weblate/pull/17330 https://github.com/WeblateOrg/weblate/pull/17345 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1 |
| nicotsx–zerobyte | Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended. | 2025-12-17 | 9.1 | CVE-2025-68435 | https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv https://github.com/nicotsx/zerobyte/issues/161 https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692 |
| Kentico–Xperience | An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with ‘Read data’ permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | 2025-12-18 | 8.8 | CVE-2019-25229 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.29 MVC Forms Unrestricted File Upload |
| Kentico–Xperience | A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. This enables unauthorized database access and potential data manipulation by exploiting macro method input validation weaknesses. | 2025-12-18 | 8.8 | CVE-2021-47711 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.52 Online Marketing Macros SQL Injection |
| spip–spip | Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering. | 2025-12-16 | 8.8 | CVE-2023-53900 | ExploitDB-51557 SPIP Product Webpage VulnCheck Advisory: Spip 4.1.10 Admin Account Spoofing via Malicious SVG Upload |
| projectSend–projectSend | ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files. | 2025-12-17 | 8.8 | CVE-2023-53905 | ExploitDB-51517 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 CSV Injection via User Account Export Functionality |
| Rukovoditel–Rukovoditel | Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | 2025-12-17 | 8.8 | CVE-2023-53913 | ExploitDB-51490 Official Product Webpage VulnCheck Advisory: Rukovoditel 3.3.1 CSV Injection via User Account Export |
| Ulicms–Ulicms | UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file’s location, enabling system command execution through maliciously crafted avatar uploads. | 2025-12-17 | 8.8 | CVE-2023-53924 | ExploitDB-51434 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload |
| PHPJabbers–Simple CMS | PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution. | 2025-12-17 | 8.8 | CVE-2023-53927 | ExploitDB-51415 Official Product Homepage VulnCheck Advisory: PHPJabbers Simple CMS 5.0 Stored Cross-Site Scripting via Section Creation |
| Phpmyfaq–phpMyFAQ | phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like ‘calc|a!z|’ to trigger code execution when an administrator exports user data as a CSV file. | 2025-12-17 | 8.8 | CVE-2023-53929 | ExploitDB-51399 Official Product Homepage VulnCheck Advisory: phpMyFAQ 3.1.12 CSV Injection via User Profile Export |
| s9y–Serendipity | Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | 2025-12-17 | 8.8 | CVE-2023-53933 | ExploitDB-51372 Official Product Homepage VulnCheck Advisory: Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload |
| leefish–File Thingie | File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter. | 2025-12-18 | 8.8 | CVE-2023-53942 | ExploitDB-51436 Product GitHub Repository VulnCheck Advisory: File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution |
| brainycp–BrainyCP | BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port. | 2025-12-19 | 8.8 | CVE-2023-53945 | ExploitDB-51357 Official Product Homepage VulnCheck Advisory: BrainyCP 1.0 Remote Code Execution via Authenticated Crontab Manipulation |
| Arcsoft–PhotoStudio | Arcsoft PhotoStudio 6.0.0.172 contains an unquoted service path vulnerability in the ArcSoft Exchange Service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions. | 2025-12-19 | 8.4 | CVE-2023-53946 | ExploitDB-51393 Official Product Homepage VulnCheck Advisory: Arcsoft PhotoStudio 6.0.0.172 Unquoted Service Path Privilege Escalation |
| oscinventory–OCS Inventory NG | OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges. | 2025-12-19 | 8.4 | CVE-2023-53947 | ExploitDB-51389 Official Product Homepage VulnCheck Advisory: OCS Inventory NG 2.3.0.0 Unquoted Service Path Privilege Escalation |
| Aspemail–AspEmail | AspEmail 5.6.0.2 contains a binary permission vulnerability that allows local users to escalate privileges through the Persits Software EmailAgent service. Attackers can exploit full write permissions in the BIN directory to replace the service executable and gain elevated system access. | 2025-12-19 | 8.4 | CVE-2023-53949 | ExploitDB-51380 Official Product Homepage VulnCheck Advisory: AspEmail 5.6.0.2 Local Privilege Escalation via Binary Permission Vulnerability |
| Dotclear–Dotclear | Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | 2025-12-19 | 8.8 | CVE-2023-53952 | ExploitDB-51353 Official Product Homepage VulnCheck Advisory: Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload |
| altervista–flatnux | Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | 2025-12-19 | 8.8 | CVE-2023-53956 | ExploitDB-51295 Official Product Homepage VulnCheck Advisory: Flatnux 2021-03.25 Authenticated File Upload Remote Code Execution |
| Red Hat–Red Hat Lightspeed (formerly Insights) for Runtimes 1.0 | A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster’s main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster’s configuration or status on the Red Hat platform. | 2025-12-15 | 8.7 | CVE-2025-11393 | RHSA-2025:23236 https://access.redhat.com/security/cve/CVE-2025-11393 RHBZ#2402032 |
| Mitsubishi Electric Corporation–GENESIS64 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in the software keyboard function (hereinafter referred to as “keypad function”) of Mitsubishi Electric GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 CFR3 and prior, and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute arbitrary executable files (EXE) when a legitimate user uses the keypad function by tampering with the configuration file for the function. This could allow the attacker to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a denial-of-service (DoS) condition on the system, through the execution of the EXE. | 2025-12-19 | 8.2 | CVE-2025-11774 | https://jvn.jp/vu/JVNVU97729686/ https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-018_en.pdf |
| smub–Photo Gallery, Sliders, Proofing and Themes NextGEN Gallery | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the ‘template’ shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities. | 2025-12-18 | 8.8 | CVE-2025-13641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152 https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369 https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php |
| Foxit Software Inc.–Foxit PDF Reader | A local privilege escalation vulnerability exists in the Foxit PDF Reader/Editor Update Service. During plugin installation, incorrect file system permissions are assigned to resources used by the update service. A local attacker with low privileges could modify or replace these resources, which are later executed by the service, resulting in execution of arbitrary code with SYSTEM privileges. | 2025-12-19 | 8.8 | CVE-2025-13941 | https://www.foxit.com/support/security-bulletins.html |
| whyun–WPCOM Member | The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target’s phone number, and the target does not notice or ignores the SMS notification with the OTP. | 2025-12-16 | 8.1 | CVE-2025-14002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29 https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833 https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member |
| Radiometer Medical Aps–ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is due to a weakness in the design and insufficient credential protection in operating system. Other related CVE’s are CVE-2025-14095 & CVE-2025-14097. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required Configuration for Exposure: Attacker requires physical access to the analyzer. Temporary work Around: Only authorized people can physically access the analyzer. Permanent solution: Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided a working proof-of-concept (PoC). Radiometer is not aware of any public exploit code at the time of this publication. | 2025-12-17 | 8.4 | CVE-2025-14096 | https://www.radiometer.com/myradiometer |
| kraftplugins–Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account. | 2025-12-18 | 8.8 | CVE-2025-14364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ff9364a9-18f8-47d3-b992-e39c8d99d6ea?source=cve https://plugins.trac.wordpress.org/changeset/3420645/demo-importer-plus/trunk/inc/Ajax.php |
| Red Hat–Red Hat OpenShift Container Platform 4 | A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references. | 2025-12-16 | 8.5 | CVE-2025-14443 | https://access.redhat.com/security/cve/CVE-2025-14443 RHBZ#2420964 https://github.com/tuxerrante/openshift-ssrf |
| F5–NGINX Ingress Controller | A vulnerability exists in NGINX Ingress Controller’s nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-12-17 | 8.3 | CVE-2025-14727 | https://my.f5.com/manage/s/article/K000158176 |
| themeisle–Redirection for Contact Form 7 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘move_file_to_upload’ function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site’s server. If ‘allow_url_fopen’ is set to ‘On’, it is possible to upload a remote file to the server. | 2025-12-21 | 8.1 | CVE-2025-14800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b249ec90-a364-4644-94fb-d42eb6cc4d9a?source=cve https://plugins.trac.wordpress.org/changeset/3423970/wpcf7-redirect https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.7/classes/class-wpcf7r-save-files.php#L180 |
| Advantech–WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code. | 2025-12-18 | 8.8 | CVE-2025-14849 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Advantech–WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files. | 2025-12-18 | 8.1 | CVE-2025-14850 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Tenda–AC18 | A security vulnerability has been detected in Tenda AC18 15.03.05.05. The impacted element is the function strcpy of the file /goform/GetParentControlInfo of the component HTTP Request Handler. The manipulation of the argument mac leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-21 | 8.8 | CVE-2025-14992 | VDB-337686 | Tenda AC18 HTTP Request GetParentControlInfo strcpy stack-based overflow VDB-337686 | CTI Indicators (IOB, IOC, IOA) Submit #719073 | Tenda AC18 V1.0 15.03.05.05 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/GetParentControlInfo/GetParentControlInfo.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/GetParentControlInfo/GetParentControlInfo.md#reproduce https://www.tenda.com.cn/ |
| Tenda–AC18 | A vulnerability was detected in Tenda AC18 15.03.05.05. This affects the function sprintf of the file /goform/SetDlnaCfg of the component HTTP Request Handler. The manipulation of the argument scanList results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-21 | 8.8 | CVE-2025-14993 | VDB-337687 | Tenda AC18 HTTP Request SetDlnaCfg sprintf stack-based overflow VDB-337687 | CTI Indicators (IOB, IOC, IOA) Submit #719084 | Tenda AC18 V1.0 15.03.05.05 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md#reproduce https://www.tenda.com.cn/ |
| Tenda–FH1201 | A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-12-21 | 8.8 | CVE-2025-14994 | VDB-337688 | Tenda FH1201/FH1206 HTTP Request webtypelibrary strcat stack-based overflow VDB-337688 | CTI Indicators (IOB, IOC, IOA) Submit #719153 | Tenda FH1201 V1.2.0.14(408) Stack-based Buffer Overflow Submit #719155 | Tenda FH1206 1.2.0.8(8155) Stack-based Buffer Overflow (Duplicate) https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtyplibrary/webtypelibrary.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtyplibrary/webtypelibrary.md https://www.tenda.com.cn/ |
| Tenda–FH1201 | A vulnerability has been found in Tenda FH1201 1.2.0.14(408). Affected is the function sprintf of the file /goform/SetIpBind. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-12-21 | 8.8 | CVE-2025-14995 | VDB-337689 | Tenda FH1201 SetIpBind sprintf stack-based overflow VDB-337689 | CTI Indicators (IOB, IOC, IOA) Submit #719154 | Tenda FH1201 V1.2.0.14(408) Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/SetIpBind/SetIpBind.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/SetIpBind/SetIpBind.md#reproduce https://www.tenda.com.cn/ |
| NVIDIA–Resiliency Extension | NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, denial of service, information disclosure, and data tampering. | 2025-12-16 | 8.4 | CVE-2025-33225 | https://nvd.nist.gov/vuln/detail/CVE-2025-33225 https://www.cve.org/CVERecord?id=CVE-2025-33225 https://nvidia.custhelp.com/app/answers/detail/a_id/5746 |
| Nozomi Networks–Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2025-12-18 | 8.9 | CVE-2025-40892 | https://security.nozominetworks.com/NN-2025:13-01 |
| Nozomi Networks–Guardian | A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in arbitrary paths, altering the device configuration and/or affecting its availability. | 2025-12-18 | 8.1 | CVE-2025-40898 | https://security.nozominetworks.com/NN-2025:15-01 |
| Linksys–Linksys E9450-SG | Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials. | 2025-12-19 | 8.8 | CVE-2025-52692 | https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-118/ |
| BullWall–Ransomware Containment | BullWall Ransomware Containment contains excluded file paths, such as ‘$recycle.bin’ that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 8.8 | CVE-2025-62001 | url url |
| Microsoft–Azure Cosmos DB | Improper neutralization of input during web page generation (‘cross-site scripting’) in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | 2025-12-18 | 8.3 | CVE-2025-64675 | Azure Cosmos DB Spoofing Vulnerability |
| Microsoft–Office Out-of-Box Experience | Improper neutralization of input during web page generation (‘cross-site scripting’) in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | 2025-12-18 | 8.2 | CVE-2025-64677 | Office Out-of-Box Experience Spoofing Vulnerability |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application’s data. Version 6.5.3 fixes the issue. | 2025-12-17 | 8.8 | CVE-2025-66395 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue. | 2025-12-17 | 8.3 | CVE-2025-66397 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5 |
| C4illin–ConvertX | ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue. | 2025-12-16 | 8.8 | CVE-2025-66449 | https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30 |
| Mintlify–Mintlify Platform | A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file. | 2025-12-19 | 8.3 | CVE-2025-67843 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| error311–FileRise | FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | 2025-12-16 | 8.9 | CVE-2025-68116 | https://github.com/error311/FileRise/security/advisories/GHSA-35pp-ggh6-c59c |
| opensourcepos–opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the “Return Policy” configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the “Store Configuration” (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the “Return Policy” field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch. | 2025-12-17 | 8.1 | CVE-2025-68147 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh https://github.com/opensourcepos/opensourcepos/commit/22297a https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS |
| sebhildebrandt–systeminformation | systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch. | 2025-12-16 | 8.1 | CVE-2025-68154 | https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68 |
| opensourcepos–opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application’s filter configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the application to process state-changing requests (POST) without verifying a valid CSRF token. An unauthenticated remote attacker can exploit this by hosting a malicious web page. If a logged-in administrator visits this page, their browser is forced to send unauthorized requests to the application. A successful exploit allows the attacker to silently create a new Administrator account with full privileges, leading to a complete takeover of the system and loss of confidentiality, integrity, and availability. The vulnerability has been patched in version 3.4.2. The fix re-enables the CSRF filter in `app/Config/Filters.php` and resolves associated AJAX race conditions by adjusting token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter in `app/Config/Filters.php` by uncommenting the protection line. However, this is not recommended without applying the full patch, as it may cause functionality breakage in the Sales module due to token synchronization issues. | 2025-12-17 | 8.8 | CVE-2025-68434 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-wjm4-hfwg-5w5r https://github.com/opensourcepos/opensourcepos/pull/4349 https://github.com/opensourcepos/opensourcepos/commit/d575c8da9a1d7af8313a1e758e000e243f5614ef https://github.com/Nixon-H/CVE-2025-68434-OSPOS-CSRF-Unauthorized-Administrator-Creation |
| Hitachi Vantara–Pentaho Data Integration and Analytics | Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. | 2025-12-15 | 8.8 | CVE-2025-9121 | https://support.pentaho.com/hc/en-us/articles/41832536185613–Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121 |
| Kentico–Xperience | An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate security-sensitive macros by manipulating user privilege levels. | 2025-12-18 | 7.2 | CVE-2020-36890 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 10 Administrator Access Control Bypass |
| Kentico–Xperience | A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix introduces an additional security layer to prevent hash value reuse and potential exploitation. | 2025-12-18 | 7.5 | CVE-2021-47712 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.102 URL Hashing Cryptography Vulnerability |
| HappyFiles–HappyFiles Pro | Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | 2025-12-21 | 7.7 | CVE-2023-25446 | https://vdp.patchstack.com/database/wordpress/plugin/happyfiles-pro/vulnerability/wordpress-happyfiles-pro-plugin-1-8-1-broken-access-control?_s_id=cve |
| D-Link–DAP-1325 | D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information by directly accessing the export settings script. | 2025-12-16 | 7.5 | CVE-2023-53896 | ExploitDB-51556 D-Link DAP-1325 Product Webpage VulnCheck Advisory: D-Link DAP-1325 Hardware A1 Unauthenticated Configuration Download |
| Kentico–Xperience | A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improper input validation enables remote attackers to potentially disrupt service availability through maliciously constructed requests. | 2025-12-18 | 7.5 | CVE-2023-53934 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.98 GetResource Handler Denial of Service |
| Hubstaff–Hubstaff | Hubstaff 1.6.14 contains a DLL search order hijacking vulnerability that allows attackers to replace a missing system32 wow64log.dll with a malicious library. Attackers can generate a custom DLL using Metasploit and place it in the system32 directory to obtain a reverse shell during application startup. | 2025-12-18 | 7.8 | CVE-2023-53937 | ExploitDB-51461 Official Product Homepage VulnCheck Advisory: Hubstaff 1.6.14 DLL Search Order Hijacking via wow64log Library |
| Alfonzm–Codigo Markdown Editor | Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js child_process module when the file is opened. | 2025-12-18 | 7.8 | CVE-2023-53940 | ExploitDB-51432 Product GitHub Repository VulnCheck Advisory: Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File |
| ltb-project–LDAP Tool Box Self Service Password | LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens. | 2025-12-19 | 7.5 | CVE-2023-53958 | ExploitDB-51275 Official Product Homepage VulnCheck Advisory: LDAP Tool Box Self Service Password 1.5.2 Account Takeover via HTTP Host Header |
| Utarit Information Services Inc.–SoliClub | Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1029 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Utarit Informatics Services Inc.–SoliClub | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1030 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Utarit Informatics Services Inc.–SoliClub | Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1031 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Autodesk–Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10881 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted X_T file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10882 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10883 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10884 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10886 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10887 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10888 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10889 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10898 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10899 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10900 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| kstover–Ninja Forms The Contact Form Builder That Grows With You | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective. | 2025-12-17 | 7.5 | CVE-2025-11924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4240cdae-9122-443e-8a7e-3369e74384be?source=cve https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms |
| wpxpo–Post Grid Gutenberg Blocks for News, Magazines, Blog Websites PostX | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘/ultp/v2/get_dynamic_content/’ REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes. | 2025-12-21 | 7.5 | CVE-2025-12980 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44?source=cve https://plugins.trac.wordpress.org/changeset/3421729/ultimate-post/trunk/classes/Blocks.php |
| Menulux Software Inc.–Mobile App | Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8. | 2025-12-16 | 7.5 | CVE-2025-13474 | https://www.usom.gov.tr/bildirim/tr-25-0457 |
| bplugins–HTML5 Audio Player The Ultimate No-Code Podcast, MP3 & Audio Player | The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-19 | 7.2 | CVE-2025-13999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/989b4b9d-e22e-46a7-8ebc-5c8b33f98111?source=cve https://plugins.trac.wordpress.org/changeset?old=3394789&old_path=html5-audio-player%2Ftags%2F2.5.1%2Finc%2FCore%2FAjax.php&new=3419843&new_path=html5-audio-player%2Ftags%2F2.5.2%2Finc%2FCore%2FAjax.php |
| LINE Corporation–LINE client for iOS | LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application’s network processing, causing server certificate verification to be disabled for a significant portion of network traffic, which could allow a network-adjacent attacker to intercept or modify encrypted communications. | 2025-12-15 | 7.7 | CVE-2025-14022 | https://hackerone.com/reports/2853445 |
| EnterpriseDB–Hybrid Manager – LTS | EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager – LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager – Innovation should be upgraded to 2025.12. | 2025-12-15 | 7 | CVE-2025-14038 | https://www.enterprisedb.com/docs/security/advisories/cve202514038/ |
| livecomposer–Live Composer Free WordPress Website Builder | The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-12-21 | 7.5 | CVE-2025-14071 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b15c991-5256-405c-8382-85dba6f032ba?source=cve https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/modules/posts/module.php#L2807 https://plugins.trac.wordpress.org/browser/live-composer-page-builder/tags/1.5.53/modules/posts/module.php#L2807 https://github.com/live-composer/live-composer-page-builder/commit/2b0b430ab107eb6cb72196251e429a695c11e41b https://plugins.trac.wordpress.org/changeset/3419715/live-composer-page-builder/trunk/modules/posts/module.php |
| Radiometer Medical Aps–ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. Exploitation requires that a remote connection is established with additional information obtained through other means. The issue is caused by a weakness in the analyzer’s application software. Other related CVE’s are CVE-2025-14095 & CVE-2025-14096. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required Configuration for Exposure: Affected application software version is in use and remote support feature is enabled in the analyzer. Temporary work Around: If the network is not considered secure, please remove the analyzer from the network. Permanent solution: Customers should ensure the following: • The network is secure, and access follows best practices. Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided working proof-of-concept (PoC). Radiometer is not aware of any publicly available exploits at the time of this publication. | 2025-12-17 | 7.2 | CVE-2025-14097 | https://www.radiometer.com/myradiometer |
| GG Soft Software Services Inc.–PaperWork | Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0. | 2025-12-17 | 7.1 | CVE-2025-14101 | https://www.usom.gov.tr/bildirim/tr-25-0464 |
| Advantech–SUSI | An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior. | 2025-12-16 | 7.8 | CVE-2025-14252 | https://www.txone.com/psirt/advisories/CVE-2025-14252 |
| Acer–ListCheck.exe | ListCheck.exe developed by Acer has a Local Privilege Escalation vulnerability. Authenticated local attackers can replace ListCheck.exe with a malicious executable of the same name, which will be executed by the system and result in privilege escalation. | 2025-12-17 | 7.8 | CVE-2025-14305 | https://www.twcert.org.tw/tw/cp-132-10580-01ad5-1.html https://www.twcert.org.tw/en/cp-139-10581-16346-2.html |
| wpdevelop–Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘dates_to_check’ parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-15 | 7.5 | CVE-2025-14383 | https://www.wordfence.com/threat-intel/vulnerabilities/id/790f93b0-eb69-473f-a726-bfe215f5d870?source=cve https://plugins.trac.wordpress.org/changeset/3416518/booking/trunk/includes/_capacity/capacity.php |
| wpmudev–Hummingbird Performance Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the ‘request’ function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials. | 2025-12-18 | 7.5 | CVE-2025-14437 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance |
| AWS–Harmonix on AWS | An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1. | 2025-12-15 | 7.2 | CVE-2025-14503 | https://github.com/awslabs/harmonix/pull/189 https://aws.amazon.com/security/security-bulletins/AWS-2025-031/ https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw |
| Autodesk–Shared Components | A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-14593 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Arcadia Technology, LLC–Crafty Controller | An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification. | 2025-12-17 | 7.1 | CVE-2025-14701 | GitLab Issue #647 |
| Shiguangwu–sgwbox N3 | A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14704 | VDB-336421 | Shiguangwu sgwbox N3 API eshell path traversal VDB-336421 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706915 | sgwbox N3 NAS V2.0.25 Directory Traversal https://www.notion.so/sgwbox-NAS-N3-Directory-Traversal-2be6cf4e528a802a9c0ad6f01b75694e?source=copy_link |
| FantasticLBP–Hotels Server | A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14710 | VDB-336427 | FantasticLBP Hotels Server OrderList.php sql injection VDB-336427 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707082 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection https://github.com/navex2/CVE/issues/3 |
| FantasticLBP–Hotels Server | A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This vulnerability affects unknown code of the file /controller/api/hotelList.php. This manipulation of the argument pickedHotelName/type causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14711 | VDB-336428 | FantasticLBP Hotels Server hotelList.php sql injection VDB-336428 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707083 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection Submit #707085 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection (Duplicate) https://github.com/navex2/CVE/issues/1 https://github.com/navex2/CVE/issues/2 |
| JHENG GAO–Student Learning Assessment and Support System | Student Learning Assessment and Support System developed by JHENG GAO has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain test accounts and password. | 2025-12-15 | 7.5 | CVE-2025-14712 | https://www.twcert.org.tw/tw/cp-132-10570-72e31-1.html https://www.twcert.org.tw/en/cp-139-10571-a0c2a-2.html |
| The Browser Company of New York–ArcSearch | ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | 2025-12-19 | 7.4 | CVE-2025-14809 | https://arc.net/security/bulletins#cve-2025-14809-address-bar-spoofing-risk-navigation-trigger-uri-confusion-on-arcsearch-android |
| The Browser Company of New York–ArcSearch | ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | 2025-12-19 | 7.5 | CVE-2025-14812 | https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios |
| itsourcecode–Online Cake Ordering System | A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-17 | 7.3 | CVE-2025-14832 | VDB-336981 | itsourcecode Online Cake Ordering System updateproduct.php sql injection VDB-336981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715063 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/ZhangYu-del/cve/issues/1 https://itsourcecode.com/ |
| code-projects–Online Appointment Booking System | A security flaw has been discovered in code-projects Online Appointment Booking System 1.0. The impacted element is an unknown function of the file /admin/deletemanagerclinic.php. Performing manipulation of the argument clinic results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-17 | 7.3 | CVE-2025-14833 | VDB-336982 | code-projects Online Appointment Booking System deletemanagerclinic.php sql injection VDB-336982 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715073 | code-projects Online Appointment Booking System V1.0 SQL injection https://github.com/Sqli22/Sqli/issues/2 https://code-projects.org/ |
| MongoDB Inc.–MongoDB Server | Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. | 2025-12-19 | 7.5 | CVE-2025-14847 | https://jira.mongodb.org/browse/SERVER-115508 |
| brainstormforce–SureForms Contact Form, Payment Form & Other Custom Form Builder | The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 7.2 | CVE-2025-14855 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e493f01-95db-48ba-8daf-d7ff69df29bf?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/2.2.0/assets/build/entries.js https://plugins.trac.wordpress.org/changeset/3423684/sureforms |
| Campcodes–Supplier Management System | A vulnerability was identified in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_retailer.php. The manipulation of the argument cmbAreaCode leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-18 | 7.3 | CVE-2025-14877 | VDB-337368 | Campcodes Supplier Management System add_retailer.php sql injection VDB-337368 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715326 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/6 https://www.campcodes.com/ |
| D-Link–DIR-605 | A vulnerability was detected in D-Link DIR-605 202WWB03. Affected by this issue is some unknown functionality of the component Firmware Update Service. Performing manipulation results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-18 | 7.2 | CVE-2025-14884 | VDB-337372 | D-Link DIR-605 Firmware Update Service command injection VDB-337372 | CTI Indicators (IOB, IOC, TTP) Submit #715465 | D-Link DIR605 B1v202WWB03 Command Injection https://tzh00203.notion.site/D-Link-DIR605-B1v202WWB03-Command-Injection-in-Firmware-Update-2cab5c52018a80de8df7f427ac2faf0e?source=copy_link https://www.dlink.com/ |
| yuzutech–kroki | due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information. | 2025-12-18 | 7.5 | CVE-2025-14896 | https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e |
| code-projects–Scholars Tracking System | A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-19 | 7.3 | CVE-2025-14940 | VDB-337520 | code-projects Scholars Tracking System delete_user.php sql injection VDB-337520 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716120 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/1 https://code-projects.org/ |
| code-projects–Scholars Tracking System | A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 7.3 | CVE-2025-14950 | VDB-337586 | code-projects Scholars Tracking System delete_post.php sql injection VDB-337586 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716123 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/2 https://code-projects.org/ |
| code-projects–Scholars Tracking System | A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 7.3 | CVE-2025-14951 | VDB-337587 | code-projects Scholars Tracking System home.php sql injection VDB-337587 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716185 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/3 https://code-projects.org/ |
| Campcodes–Supplier Management System | A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-19 | 7.3 | CVE-2025-14952 | VDB-337588 | Campcodes Supplier Management System add_category.php sql injection VDB-337588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716440 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/vivibiubiu/CVE/issues/1 https://www.campcodes.com/ |
| code-projects–Simple Stock System | A weakness has been identified in code-projects Simple Stock System 1.0. This issue affects some unknown processing of the file /market/signup.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 7.3 | CVE-2025-14959 | VDB-337595 | code-projects Simple Stock System signup.php sql injection VDB-337595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717344 | code-projects Simple Stock System V1.0 SQL Injection https://github.com/InorSogeih/Inor/issues/1 https://code-projects.org/ |
| code-projects–Simple Blood Donor Management System | A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1.0. Impacted is an unknown function of the file /editeddonor.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 7.3 | CVE-2025-14960 | VDB-337596 | code-projects Simple Blood Donor Management System editeddonor.php sql injection VDB-337596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717374 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/lei-loveling/CVE/issues/1 https://code-projects.org/ |
| code-projects–Simple Blood Donor Management System | A vulnerability was detected in code-projects Simple Blood Donor Management System 1.0. The affected element is an unknown function of the file /editedcampaign.php. The manipulation of the argument campaignname results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-19 | 7.3 | CVE-2025-14961 | VDB-337597 | code-projects Simple Blood Donor Management System editedcampaign.php sql injection VDB-337597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717584 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/lei-loveling/CVE/issues/2 https://code-projects.org/ |
| itsourcecode–Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /candidates_report.php. The manipulation of the argument school_year leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-19 | 7.3 | CVE-2025-14967 | VDB-337602 | itsourcecode Student Management System candidates_report.php sql injection VDB-337602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718414 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/28 https://itsourcecode.com/ |
| code-projects–Simple Stock System | A security flaw has been discovered in code-projects Simple Stock System 1.0. Affected by this issue is some unknown functionality of the file /market/update.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-19 | 7.3 | CVE-2025-14968 | VDB-337603 | code-projects Simple Stock System update.php sql injection VDB-337603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718433 | Code-projects Simple Stock System v1.0 SQL injection https://github.com/z2sw57y/CVE/issues/1 https://code-projects.org/ |
| Campcodes–Complete Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This issue affects some unknown processing of the file /admin/search-invoices.php. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-12-20 | 7.3 | CVE-2025-14989 | VDB-337683 | Campcodes Complete Online Beauty Parlor Management System search-invoices.php sql injection VDB-337683 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718452 | campcodes Complete Online Beauty Parlor Management System V1.0 SQL Injection https://github.com/funnnxxx/my-cve/issues/3 https://www.campcodes.com/ |
| Campcodes–Complete Online Beauty Parlor Management System | A security flaw has been discovered in Campcodes Complete Online Beauty Parlor Management System 1.0. Impacted is an unknown function of the file /admin/view-appointment.php. Performing manipulation of the argument viewid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-21 | 7.3 | CVE-2025-14990 | VDB-337684 | Campcodes Complete Online Beauty Parlor Management System view-appointment.php sql injection VDB-337684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718453 | campcodes Complete Online Beauty Parlor Management System V1.0 SQL Injection https://github.com/funnnxxx/my-cve/issues/2 https://www.campcodes.com/ |
| SeaCMS–SeaCMS | A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-21 | 7.3 | CVE-2025-15002 | VDB-337707 | SeaCMS mysqli.class.php sql injection VDB-337707 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716083 | SeaCMS 13.3 SQL Injection https://note-hxlab.wetolink.com/share/VFwALb6qhnTZ |
| Restajet Information Technologies Inc.–Online Food Delivery System | Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 7.1 | CVE-2025-1927 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| Qualcomm, Inc.–Snapdragon | Memory corruption during video playback when video session open fails with time out error. | 2025-12-18 | 7.8 | CVE-2025-27063 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | 2025-12-16 | 7.3 | CVE-2025-33212 | https://nvd.nist.gov/vuln/detail/CVE-2025-33212 https://www.cve.org/CVERecord?id=CVE-2025-33212 https://nvidia.custhelp.com/app/answers/detail/a_id/5736 |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability where malicious data created by an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-12-16 | 7.8 | CVE-2025-33226 | https://nvd.nist.gov/vuln/detail/CVE-2025-33226 https://www.cve.org/CVERecord?id=CVE-2025-33226 https://nvidia.custhelp.com/app/answers/detail/a_id/5736 |
| NVIDIA–Resiliency Extension | NVIDIA Resiliency Extension for Linux contains a vulnerability in the checkpointing core, where an attacker may cause a race condition. A successful exploit of this vulnerability might lead to information disclosure, data tampering, denial of service, or escalation of privileges. | 2025-12-16 | 7.8 | CVE-2025-33235 | https://nvd.nist.gov/vuln/detail/CVE-2025-33235 https://www.cve.org/CVERecord?id=CVE-2025-33235 https://nvidia.custhelp.com/app/answers/detail/a_id/5746 |
| Qualcomm, Inc.–Snapdragon | Memory corruption while processing MFC channel configuration during music playback. | 2025-12-18 | 7.8 | CVE-2025-47320 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while copying packets received from unix clients. | 2025-12-18 | 7.8 | CVE-2025-47321 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while handling IOCTL calls to set mode. | 2025-12-18 | 7.8 | CVE-2025-47322 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while routing GPR packets between user and root when handling large data packet. | 2025-12-18 | 7.8 | CVE-2025-47323 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. | 2025-12-18 | 7.8 | CVE-2025-47350 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while loading an invalid firmware in boot loader. | 2025-12-18 | 7.8 | CVE-2025-47382 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when processing IOCTLs for JPEG data without verification. | 2025-12-18 | 7.8 | CVE-2025-47387 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Grassroot DICOM–Grassroot DICOM | An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to leaking heap data. An attacker can provide a malicious file to trigger this vulnerability. | 2025-12-16 | 7.4 | CVE-2025-48429 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214 |
| Grassroot DICOM–Grassroot DICOM | An out-of-bounds read vulnerability exists in the Overlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability. | 2025-12-16 | 7.4 | CVE-2025-52582 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2211 |
| Fuji Electric–Monitouch V-SFT-6 | Fuji Electric Monitouch V-SFT-6 is vulnerable to an out-of-bounds write while processing a specially crafted project file, which may allow an attacker to execute arbitrary code. | 2025-12-17 | 7.8 | CVE-2025-53524 | https://felib.fujielectric.co.jp/en/document_search?tab=software&document1%5B1%5D=M10009&document2%5B1%5D=M20104&product1%5B1%5D=P10003&product2%5B1%5D=P20023&product3%5B1%5D=P30623&product4%5B1%5D=S11133&discontinued%5B1%5D=0&count=20&sort=en_title&page=1®ion=en-glb https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-01.json |
| Grassroot DICOM–Grassroot DICOM | An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data | 2025-12-16 | 7.4 | CVE-2025-53618 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210 |
| Grassroot DICOM–Grassroot DICOM | An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `null_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data | 2025-12-16 | 7.4 | CVE-2025-53619 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210 |
| Palantir–com.palantir.compute:compute-service | Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This issue resulted in bypass of access control due to the presence of a vulnerable endpoint in Foundry Container Service that executed user-controlled commands locally. | 2025-12-18 | 7.5 | CVE-2025-53710 | https://palantir.safebase.us/?tcuUid=4dbae101-79da-433c-8184-c70b78f4701b |
| BullWall–Ransomware Containment | BullWall Ransomware Containment does not entirely inspect a file to determine if it is ransomware. An authenticated attacker could bypass detection by encrypting a file and leaving the first four bytes unaltered. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 7.1 | CVE-2025-62000 | url url |
| NI–LabVIEW | There is an out of bounds write vulnerability in NI LabVIEW in mgocre_SH_25_3!RevBL() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64461 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResFile::RGetMemFileHandle() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64462 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResource::DetachResource() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64463 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!VisaWriteFromFile() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64464 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!DataSizeTDR() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64465 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!ExecPostedProcRecPost() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64466 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResFile::FindRsrcListEntry() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64467 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is a use-after-free vulnerability in sentry!sentry_span_set_data() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions | 2025-12-18 | 7.8 | CVE-2025-64468 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is a stack-based buffer overflow vulnerability in NI LabVIEW in LVResFile::FindRsrcListEntry() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64469 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| Microsoft–Microsoft Purview | ‘…/…//’ in Microsoft Purview allows an authorized attacker to execute code over a network. | 2025-12-18 | 7.2 | CVE-2025-64676 | Microsoft Purview eDiscovery Remote Code Execution Vulnerability |
| OSC–ondemand | Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) centers can unset and or edit these headers. Note that `OIDCPassClaimsAs both` is the default and centers can set `OIDCPassClaimsAs ` to `none` or `environment` to stop passing these headers to the client. Centers that have an OIDC provider with the `OIDCPassClaimsAs` with `none` or `environment` settings can adjust the settings using guidance provided in GHSA-2cwp-8g29-9q32 to unset the mod_auth_openidc_session cookies. | 2025-12-17 | 7.6 | CVE-2025-66029 | https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user’s configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in `src/UserEditor.php` within the logic that handles saving user-specific configuration settings. The `type` parameter from the POST request is processed as an array. The code iterates through this array and uses `key($type)` to extract the array key, which is expected to be a numeric ID. This key is then assigned to the `$id` variable. The `$id` variable is subsequently concatenated directly into a `SELECT` and an `UPDATE` SQL query without any sanitization or validation, making it an injection vector. Although the vulnerability requires administrator privileges to exploit, it allows a malicious or compromised admin account to execute arbitrary SQL queries. This can be used to bypass any application-level logging or restrictions, directly manipulate the database, exfiltrate, modify, or delete all data (including other user credentials, financial records, and personal information), and could potentially lead to further system compromise, such as writing files to the server, depending on the database’s configuration and user privileges. Version 6.5.3 patches the issue. | 2025-12-17 | 7.2 | CVE-2025-66396 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9 |
| Foxit Software Inc.–Foxit PDF Editor | A use-after-free vulnerability exists in the AcroForm handling of Foxit PDF Reader and Foxit PDF Editor before 2025.2.1,14.0.1 and 13.2.1 on Windows . When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66493 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–Foxit PDF Reader | A use-after-free vulnerability exists in the PDF file parsing of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows. A PDF object managed by multiple parent objects could be freed while still being referenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66494 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–Foxit PDF Reader | A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66495 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–Foxit PDF Reader | A heap-based buffer overflow vulnerability exists in the PDF parsing of Foxit PDF Reader when processing specially crafted JBIG2 data. An integer overflow in the calculation of the image buffer size may occur, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66499 | https://www.foxit.com/support/security-bulletins.html |
| homarr-labs–homarr | Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue. | 2025-12-17 | 7.5 | CVE-2025-67493 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-59gp-q3xx-489q |
| Aiven-Open–myhoard | MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null. | 2025-12-18 | 7.1 | CVE-2025-67745 | https://github.com/Aiven-Open/myhoard/security/advisories/GHSA-v42r-6hr9-4hcr https://github.com/Aiven-Open/myhoard/commit/fac89793bfc8c81ae040aadf5292f5d0100b6640 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue. | 2025-12-16 | 7.2 | CVE-2025-67751 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wxcc-gvfv-56fg https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the “ReImport” functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamID_…` POST parameter. This can lead to unauthorized data access, modification, or deletion within the database. Version 6.5.3 has a patch for the issue. | 2025-12-17 | 7.2 | CVE-2025-68111 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c4vm-87vf-hmx9 |
| vitejs–vite-plugin-react | @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue. | 2025-12-16 | 7.5 | CVE-2025-68155 | https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm https://github.com/facebook/react/pull/29708 https://github.com/facebook/react/pull/30741 https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d |
| expr-lang–expr | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch. | 2025-12-16 | 7.5 | CVE-2025-68156 | https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6 https://github.com/expr-lang/expr/pull/870 |
| WeblateOrg–weblate | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | 2025-12-18 | 7.7 | CVE-2025-68279 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7 https://github.com/WeblateOrg/weblate/pull/17331 https://github.com/WeblateOrg/weblate/pull/17356 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1 |
| Elastic–Kibana | Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. | 2025-12-18 | 7.2 | CVE-2025-68385 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182 |
| storybookjs–storybook | Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook-on both their local machines and CI environment-to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle. | 2025-12-17 | 7.3 | CVE-2025-68429 | https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6 https://storybook.js.org/blog/security-advisory |
| zed-industries–zed | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious LSP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered when a user opens project file for which there is an LSP entry. A concerted effort by an attacker to seed a project settings file (`./zed/settings.json`) with malicious language server configurations could result in arbitrary code execution with the user’s privileges if the user opens the project in Zed without reviewing the contents. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed. | 2025-12-17 | 7.8 | CVE-2025-68432 | https://github.com/zed-industries/zed/security/advisories/GHSA-29cp-2hmh-hcxj https://zed.dev/blog/secure-by-default |
| zed-industries–zed | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious MCP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered automatically without any user interaction besides opening the project in the IDE. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed. | 2025-12-17 | 7.8 | CVE-2025-68433 | https://github.com/zed-industries/zed/security/advisories/GHSA-cv6g-cmxc-vw8j https://zed.dev/blog/secure-by-default |
| Ruijie Networks Co., Ltd.–AP180-PE V3.xx | RG – AP180, Indoor Wall Plate Wireless AP AP180 series provided by Ruijie Networks Co., Ltd. contain an OS command injection vulnerability. An arbitrary OS command may be executed on the product by an attacker who logs in to the CLI service. | 2025-12-18 | 7.2 | CVE-2025-68459 | https://www.ruijie.com.cn/gy/xw-aqtg-gw/930282/ https://jvn.jp/en/vu/JVNVU94068946/ |
| Roundcube–Webmail | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | 2025-12-18 | 7.2 | CVE-2025-68460 | https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 |
| Roundcube–Webmail | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | 2025-12-18 | 7.2 | CVE-2025-68461 | https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb |
| langflow-ai–langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible-accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue. | 2025-12-19 | 7.7 | CVE-2025-68477 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5 |
| langflow-ai–langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body’s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue. | 2025-12-19 | 7.1 | CVE-2025-68478 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4 |
| Yealink–RPS | Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances. | 2025-12-21 | 7.4 | CVE-2025-68644 | https://www.yealink.com/en/trust-center/security-bulletins/yealink-unauthorized-access-to-rps-vulnerability https://www.yealink.com/website-service/download/Yealink_RPS_Security_Remediation_Verification_Report.pdf |
| Utarit Informatics Services Inc.–SoliClub | Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-7358 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| JabCareer–WP JobHunt | The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the ‘cs_update_application_status_callback’ function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the ‘status’ parameter of applied jobs for any user. | 2025-12-20 | 7.6 | CVE-2025-7782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af063570-43f7-4bf4-850c-21c3bff40ac1?source=cve https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 |
| elextensions–ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 7.2 | CVE-2025-9343 | https://www.wordfence.com/threat-intel/vulnerabilities/id/042d9bc7-50ea-4585-9789-b10ed40b0d14?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3420695%40elex-helpdesk-customer-support-ticket-system&new=3420695%40elex-helpdesk-customer-support-ticket-system&sfp_email=&sfph_mail= |
| Autodesk–Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9452 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9453 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9454 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9455 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9456 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9457 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9459 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk–Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9460 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Kentico–Xperience | A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks. | 2025-12-18 | 6.5 | CVE-2022-50682 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.79 Routing Engine CRLF Injection |
| Palantir–com.palantir.acme.gaia:gaia | Gotham Gaia application was found to be exposing multiple unauthenticated endpoints. | 2025-12-19 | 6.8 | CVE-2023-30971 | https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb |
| websitebaker–WebsiteBaker | WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory. | 2025-12-16 | 6.5 | CVE-2023-53902 | ExploitDB-51554 WebsiteBaker Product Webpage VulnCheck Advisory: WebsiteBaker 2.13.3 Directory Traversal via Media Delete Endpoint |
| Bludit–Backup Plugin | Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin’s download functionality by manipulating file path parameters to read sensitive system files through directory traversal. | 2025-12-17 | 6.5 | CVE-2023-53907 | ExploitDB-51541 Official Product Webpage VulnCheck Advisory: Bludit 3.13.1 Authenticated Arbitrary File Download via Backup Plugin |
| Belden–HiSecOS | HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Attackers can send crafted XML payloads to the /mops_data endpoint with a specific role value to elevate their user privileges to administrative level. | 2025-12-17 | 6.5 | CVE-2023-53908 | ExploitDB-51537 Official Product Webpage VulnCheck Advisory: HiSecOS 04.0.01 Privilege Escalation via User Role Modification |
| BiniSoft–USB Flash Drives Control | USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesUSB Flash Drives Controlusbcs.exe’ to inject malicious executables and escalate privileges on Windows systems. | 2025-12-17 | 6.2 | CVE-2023-53912 | ExploitDB-51508 Official Product Webpage VulnCheck Advisory: USB Flash Drives Control 4.1.0.0 Unquoted Service Path Privilege Escalation |
| powerstonegh–Affiliate Me | Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the ‘id’ parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes. | 2025-12-17 | 6.5 | CVE-2023-53917 | ExploitDB-51468 Official Vendor Homepage VulnCheck Advisory: Affiliate Me 5.0.1 SQL Injection Vulnerability via Admin Panel |
| Easyphp–EasyPHP Webserver | EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini. | 2025-12-18 | 6.5 | CVE-2023-53944 | ExploitDB-51430 Official Product Homepage VulnCheck Advisory: EasyPHP Webserver 14.1 Path Traversal via Directory Traversal Sequences |
| Websitebaker–WebsiteBaker | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users. | 2025-12-19 | 6.4 | CVE-2023-53953 | ExploitDB-51349 Official Product Homepage VulnCheck Advisory: WebsiteBaker 2.13.3 Stored Cross-Site Scripting via Page Creation |
| Actfax–ActFax | ActFax 10.10 contains an unquoted service path vulnerability that allows local attackers to potentially escalate privileges by exploiting the ActiveFaxServiceNT service configuration. Attackers with write permissions to Program Files directories can inject a malicious ActSrvNT.exe executable to gain elevated system access when the service restarts. | 2025-12-19 | 6.2 | CVE-2023-53954 | ExploitDB-51332 Official Product Homepage VulnCheck Advisory: ActFax 10.10 Unquoted Path Services Privilege Escalation Vulnerability |
| Milestone Systems–XProtect VMS | Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API. | 2025-12-16 | 6.3 | CVE-2025-0836 | https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US |
| elemntor–Elementor Website Builder More Than Just a Page Builder | The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-16 | 6.4 | CVE-2025-11220 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve https://plugins.trac.wordpress.org/changeset/3414494/elementor |
| rustaurius–Five Star Restaurant Reservations WordPress Booking Plugin | The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rtb-name’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.1 | CVE-2025-11496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1889c1ba-f49f-474c-8d0a-0ae46fb92deb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408446%40restaurant-reservations&new=3408446%40restaurant-reservations&sfp_email=&sfph_mail= |
| Zohocorp–ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled. | 2025-12-15 | 6.4 | CVE-2025-11670 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-11670.html |
| extendthemes–Colibri Page Builder | The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.4 | CVE-2025-11747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251 https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php |
| zephyrproject-rtos–Zephyr | An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic. | 2025-12-15 | 6.5 | CVE-2025-12035 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p793-3456-h7w3 |
| codersaiful–Product Table for WooCommerce | The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘search_key’ parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-21 | 6.1 | CVE-2025-12398 | https://www.wordfence.com/threat-intel/vulnerabilities/id/35790e70-6e96-4ffe-9d4e-828dd649e8c0?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3420662%40woo-product-table&new=3420662%40woo-product-table&sfp_email=&sfph_mail= |
| kaizencoders–Attachments Handler | The Attachments Handler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-20 | 6.1 | CVE-2025-12581 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc948f30-2fc2-40dd-878e-28e0eac857c7?source=cve https://plugins.trac.wordpress.org/browser/attachments-handler/trunk/core/admin_table.class.php#L170 https://wordpress.org/plugins/attachments-handler/ |
| Mattermost–Mattermost | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | 2025-12-17 | 6.5 | CVE-2025-12689 | https://mattermost.com/security-updates |
| awsmin–Embed Any Document Embed PDF, Word, PowerPoint and Excel Files | The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-12885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efbdf0f0-6b38-418c-b3fb-396f89ada34f?source=cve https://plugins.trac.wordpress.org/changeset/3406443/ |
| netweblogic–Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘events_list_grouped’ shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-12976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17e853b2-c7ab-478c-9c89-d8e3a42d1a42?source=cve https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-shortcode.php#L119 https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-functions.php#L933 https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/templates/templates/events-list-grouped.php https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/classes/em-events.php#L423 https://plugins.trac.wordpress.org/changeset/3413776/ |
| ultimatemember–Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video ‘value’ field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user’s profile page. | 2025-12-17 | 6.4 | CVE-2025-13217 | https://www.wordfence.com/threat-intel/vulnerabilities/id/876b57e0-cf1e-4ce9-ba85-a5d4554797bd?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/um-filters-fields.php#L80 https://plugins.trac.wordpress.org/changeset/3421362/ |
| ultimatemember–Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13220 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c06548-238d-4b75-8f20-d7de6fc21539?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L67 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L525 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L558 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L591 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L625 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L542 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421362%40ultimate-member&new=3421362%40ultimate-member&sfp_email=&sfph_mail= |
| radykal–Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the ‘url’ parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch. | 2025-12-16 | 6.5 | CVE-2025-13231 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56ec6ae-5b75-4cbb-aedd-f318fddc7bf0?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| tikolan–WP Hallo Welt | The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the ‘hallo_welt_seite’ function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting. | 2025-12-20 | 6.1 | CVE-2025-13365 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e422aa58-a335-4734-bbcd-d400bd44bc89?source=cve https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L53 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/tags/1.4./hallowelt.php#L53 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L54 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L66 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L15 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L27 |
| wpeverest–User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13367 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2244945a-5b3a-463d-9910-46a6f7afaf6c?source=cve https://plugins.trac.wordpress.org/changeset/3412096/user-registration/trunk/modules/membership/includes/Templates/membership-listing.php https://plugins.trac.wordpress.org/changeset/3412096/user-registration/trunk/modules/membership/includes/Templates/thank-you-page.php |
| Fortra–Core Privileged Access Manager (BoKS) | Insecure defaults in the Server Agent component of Fortra’s Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain. | 2025-12-16 | 6.2 | CVE-2025-13532 | https://www.fortra.com/security/advisories/product-security/fi-2025-014 |
| livecomposer–Live Composer Free WordPress Website Builder | The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-13537 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a9f8ab73-8c2a-4551-bad9-4e5cc67231e5?source=cve https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/js/src/client/frontend/index.js#L126 https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/js/src/client/frontend/index.js#L926 https://plugins.trac.wordpress.org/changeset/3419715/ |
| caterhamcomputing–CC Child Pages | The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘child_pages’ shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the ‘show_child_pages’ function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages |
| metagauss–RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘RM_Forms’ shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output escaping on the ‘theme’ attribute. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4be512bd-190a-415a-bd20-a49373f63fbb?source=cve https://plugins.trac.wordpress.org/changeset/3414853/custom-registration-form-builder-with-submission-manager |
| travishoki–Overstock Affiliate Links | The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-20 | 6.1 | CVE-2025-13624 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c06207da-d15d-4540-84be-218fa9055fd5?source=cve https://wordpress.org/plugins/overstock-affiliate-links/ https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/trunk/sandbox_page.php#L18 https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/tags/1.1/sandbox_page.php#L18 |
| wpchill–Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Custom scripts’ setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13693 | https://www.wordfence.com/threat-intel/vulnerabilities/id/625d2b09-a6b9-4c0c-8c36-3c565e688aac?source=cve https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lib/gallery-class.php#L126 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.6/lib/gallery-class.php#L126 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418337%40final-tiles-grid-gallery-lite&new=3418337%40final-tiles-grid-gallery-lite&sfp_email=&sfph_mail= |
| techjewel–FluentAuth The Ultimate Authorization & Security Plugin for WordPress | The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13728 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a3187d3e-e1da-4af7-a1fa-9657389f9e22?source=cve https://plugins.trac.wordpress.org/changeset/3409232/fluent-security/tags/2.1.0/app/Hooks/Handlers/CustomAuthHandler.php |
| daggerhart–OpenID Connect Generic Client | The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘openid_connect_generic_auth_url’ shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-13730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe5fd453-b1fc-4d52-bb46-aebd68508891?source=cve https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/openid-connect-generic.php#L168 https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php#L241 https://plugins.trac.wordpress.org/changeset/3418927 |
| someguy9–Lightweight Accordion | The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `lightweight-accordion` shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13740 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f117f713-e2f1-4803-87f7-14b1576d823b?source=cve https://plugins.trac.wordpress.org/changeset/3413649/ |
| htplugins–WishSuite Wishlist for WooCommerce | The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter of the ‘wishsuite_button’ shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e1cd584-ffb8-43d6-a7b6-141c59ac463d?source=cve https://plugins.trac.wordpress.org/browser/wishsuite/trunk/includes/templates/wishsuite-button-add.php#L1 https://plugins.trac.wordpress.org/browser/wishsuite/tags/1.5.1/includes/templates/wishsuite-button-add.php#L1 https://plugins.trac.wordpress.org/changeset/3419202/ |
| linksoftware–HTML Forms Simple WordPress Forms Plugin | The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page. | 2025-12-17 | 6.1 | CVE-2025-13861 | https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321 https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail= |
| adreastrian–WP Social Ninja Embed Social Feeds, User Reviews & Chat Widgets | The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin’s advanced settings. | 2025-12-17 | 6.5 | CVE-2025-13880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144 |
| Inductive Automation–Ignition | The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict which Python libraries can be imported and executed within the scripting environment. The core issue lies in the Ignition service account having system permissions beyond what an Ignition privileged user requires. When an authenticated administrator uploads a malicious project file containing Python scripts with bind shell capabilities, the application executes these scripts with the same privileges as the Ignition Gateway process, which typically runs with SYSTEM-level permissions on Windows. Alternative code execution patterns could lead to similar results. | 2025-12-18 | 6.4 | CVE-2025-13911 | https://security.inductiveautomation.com/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json |
| wpdevteam–Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget’s custom attributes handling and the Image Masking module’s element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-13977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a0de0b28-fbad-4fcf-a7ab-35c545c19a4a?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/assets/front-end/js/view/event-calendar.min.js https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/includes/Extensions/Image_Masking.php#L498 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/includes/Extensions/Image_Masking.php#L587 https://plugins.trac.wordpress.org/changeset/3419289/essential-addons-for-elementor-lite/trunk/includes/Extensions/Image_Masking.php |
| IBM–UCD – IBM DevOps Deploy | IBM UCD – IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token. | 2025-12-15 | 6.5 | CVE-2025-14148 | https://www.ibm.com/support/pages/node/7254663 |
| veronalabs–SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘outbound_resource’ parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.1 | CVE-2025-14151 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ee675dd-5b43-439f-9717-6c531e9bf066?source=cve https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.2/admin/view/wp-slimstat-reports.php#L1341 https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.2/admin/view/right-now.php#L273 https://plugins.trac.wordpress.org/changeset/3421814/wp-slimstat/trunk?contextall=1&old=3401545&old_path=%2Fwp-slimstat%2Ftrunk#file4 |
| wordplus–Better Messages Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.1 | CVE-2025-14154 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d68bbf0d-72e9-4295-a1e1-4abeb36cae1b?source=cve https://plugins.trac.wordpress.org/changeset/3420771/bp-better-messages/trunk/inc/guests.php |
| GIGABYTE–intel 600 chipset Motherboard | Certain motherboard models developed by GIGABYTE has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14302 | https://www.twcert.org.tw/tw/cp-132-10574-ddf09-1.html https://www.twcert.org.tw/en/cp-139-10575-e4f41-2.html https://www.gigabyte.com/Support/Security?type=1 |
| MSI–Intel 600 chipset motherboard | Certain motherboard models developed by MSI has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14303 | https://www.twcert.org.tw/tw/cp-132-10576-0a0fd-1.html https://www.twcert.org.tw/en/cp-139-10577-3cd58-2.html https://csr.msi.com/global/product-security-advisories |
| ASRock–Intel 500 chipset motherboard | Certain motherboard models developed by ASRock and its subsidiaries, ASRockRack and ASRockInd. has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14304 | https://www.twcert.org.tw/tw/cp-132-10578-c43b4-1.html https://www.twcert.org.tw/en/cp-139-10579-9205b-2.html https://www.asrock.com/support/Security.asp https://www.asrockind.com/zh-tw/security-center |
| Proliz Software Ltd.–OBS (Student Affairs Information System)0 | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.This issue affects OBS (Student Affairs Information System)0: before 26.5009. | 2025-12-17 | 6.3 | CVE-2025-14347 | https://www.usom.gov.tr/bildirim/tr-25-0463 |
| brechtvds–WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-14385 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6030712-ae4f-4cdb-a500-dff689947ff3?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L244 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L372 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-name.php#L83 https://plugins.trac.wordpress.org/changeset/3419784/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php |
| thimpress–LearnPress WordPress LMS Plugin | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-14387 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f29b3a37-436d-4d03-8818-d5267b23067b?source=cve https://github.com/LearnPress/learnpress/commit/3bdaa63920c7d485e7efa7c92d3f19273a2916ff |
| bookingalgorithms–BA Book Everything | The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s babe-search-form shortcode in all versions up to, and including, 1.8.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.4 | CVE-2025-14449 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2be1fbfc-a809-4a42-9be4-24c8274c1e71?source=cve https://plugins.trac.wordpress.org/changeset/3418011/ba-book-everything |
| fastpi-sso–fastapi-sso | Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user’s session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker’s account being linked to the victim’s internal account. | 2025-12-19 | 6.3 | CVE-2025-14546 | https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPISSO-14386403 https://github.com/tomasvotava/fastapi-sso/commit/6117d1a5ad498ba57d671e8a059ebe20db5abe02 https://github.com/tomasvotava/fastapi-sso/issues/266 |
| Ugreen–DH2100+ | A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 6.6 | CVE-2025-14693 | VDB-336411 | Ugreen DH2100+ USB symlink VDB-336411 | CTI Indicators (IOB, IOC) Submit #704646 | Ugreen NAS DH2100+ V5.3.0 Incorrect Access Control Submit #704657 | Ugreen Ugreen NAS DH2100+ V5.3.0 Incorrect Access Control (Duplicate) https://www.notion.so/2bc6cf4e528a8083bf3fc6f7a953f0a1 |
| SamuNatsu–HaloBot | A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument action can lead to dynamically-managed code resources. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-15 | 6.3 | CVE-2025-14695 | VDB-336413 | SamuNatsu HaloBot Inter-plugin API index.js html_renderer dynamically-managed code resources VDB-336413 | CTI Indicators (IOB, IOC, IOA) Submit #705587 | SamuNatsu HaloBot 1.0 Improper Control of Dynamically-Managed Code Resources https://github.com/rassec2/dbcve/issues/20 |
| CTCMS–Content Management System | A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CT_Parser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-15 | 6.3 | CVE-2025-14731 | VDB-336488 | CTCMS Content Management System Frontend/Template Management CT_Parser.php special elements used in a template engine VDB-336488 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707106 | ctcms 2.1.2 Command Injection Submit #707107 | ctcms 2.1.2 Command Injection (Duplicate) https://note-hxlab.wetolink.com/share/Ros8ZIeCLQrN https://note-hxlab.wetolink.com/share/U6cnRoRfn09r |
| Ningyuanda–TC155 | A vulnerability was identified in Ningyuanda TC155 57.0.2.0. This impacts an unknown function of the file /onvif/device_service of the component ONVIF PTZ Control Interface. The manipulation leads to improper access controls. The attack requires being on the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 6.3 | CVE-2025-14749 | VDB-336522 | Ningyuanda TC155 ONVIF PTZ Control device_service access control VDB-336522 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707198 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Unauthenticated ONVIF PTZ Full Remote Camera Control https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-PTZ-Remote-Control.md |
| ALASCA–YAOOK | Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials | 2025-12-16 | 6.5 | CVE-2025-14758 | GitLab Issue #631 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID. | 2025-12-16 | 6 | CVE-2025-14777 | https://access.redhat.com/security/cve/CVE-2025-14777 RHBZ#2422596 |
| Xiongwei–Smart Catering Cloud Platform | A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-16 | 6.3 | CVE-2025-14780 | VDB-336607 | Xiongwei Smart Catering Cloud Platform dish_trade_detail_get sql injection VDB-336607 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #674051 | Hangzhou Xiongwei Technology Development Co., Ltd Smart Catering Cloud Platform 2.1.6446.28761 SQL injection https://github.com/zhangbuneng/3/issues/1 |
| code-projects–Simple Stock System | A weakness has been identified in code-projects Simple Stock System 1.0. This affects an unknown function of the file /checkuser.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-17 | 6.3 | CVE-2025-14834 | VDB-336983 | code-projects Simple Stock System checkuser.php sql injection VDB-336983 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715228 | code-projects Simple Stock System In PHP 1.0 SQL Injection https://gist.github.com/b1uel0n3/06593fd15acd0f2f61c29c5595453755 https://code-projects.org/ |
| y_project–RuoYi | A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-18 | 6.3 | CVE-2025-14856 | VDB-337047 | y_project RuoYi getnames code injection VDB-337047 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710152 | Ruoyi Management System V4.8.1 Code Injection https://github.com/ltranquility/CVE/issues/26 |
| SourceCodester–Client Database Management System | A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-18 | 6.3 | CVE-2025-14885 | VDB-337373 | SourceCodester Client Database Management System Leads Generation user_leads.php unrestricted upload VDB-337373 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715595 | SourceCodester Client Database Management System 1 Unrestricted Upload https://medium.com/@rvpipalwa/remote-code-execution-rce-vulnerability-report-4394b38ff90e https://www.sourcecodester.com/ |
| JeecgBoot–JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The patch is named e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2/67795493bdc579e489d3ab12e52a1793c4f8a0ee. It is recommended to apply a patch to fix this issue. | 2025-12-19 | 6.3 | CVE-2025-14908 | VDB-337432 | JeecgBoot Multi-Tenant Management SysTenantController.java improper authentication VDB-337432 | CTI Indicators (IOB, IOC, IOA) Submit #715742 | jeecgboot 3.9.0 bfla https://github.com/jeecgboot/JeecgBoot/issues/9196 https://github.com/jeecgboot/JeecgBoot/commit/e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2 |
| Elastic–Elasticsearch | Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. | 2025-12-15 | 6.8 | CVE-2025-37731 | https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063 |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2025-12-18 | 6.1 | CVE-2025-40893 | https://security.nozominetworks.com/NN-2025:14-01 |
| Advantech–WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands. | 2025-12-18 | 6.3 | CVE-2025-46268 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Qualcomm, Inc.–Snapdragon | Information disclosure while exposing internal TA-to-TA communication APIs to HLOS | 2025-12-18 | 6.7 | CVE-2025-47319 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Information disclosure while processing system calls with invalid parameters. | 2025-12-18 | 6.5 | CVE-2025-47325 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| glpi-project–glpi | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. | 2025-12-16 | 6.5 | CVE-2025-59935 | https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx |
| BullWall–Server Intrusion Protection | BullWall Server Intrusion Protection has a noticeable delay before the MFA check when connecting via RDP. A remote authenticated attacker with administrative privileges can potentially bypass detection during this window. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 6.2 | CVE-2025-62003 | url url |
| BullWall–Server Intrusion Protection | BullWall Server Intrusion Protection services are initialized after login services. An authenticated attacker with administrative permissions can log in after boot and bypass MFA. SIP service does not retroactively enforce the challenge or disconnect unauthenticated sessions. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 6.2 | CVE-2025-62004 | url url |
| Tormorten–WP Microdata | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tormorten WP Microdata allows Stored XSS.This issue affects WP Microdata: from n/a through 1.0. | 2025-12-21 | 6.5 | CVE-2025-62901 | https://vdp.patchstack.com/database/wordpress/plugin/wp-microdata/vulnerability/wordpress-wp-microdata-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HappyDevs–TempTool | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HappyDevs TempTool allows Stored XSS.This issue affects TempTool: from n/a through 1.3.1. | 2025-12-21 | 6.5 | CVE-2025-62926 | https://vdp.patchstack.com/database/wordpress/plugin/current-template-name/vulnerability/wordpress-temptool-show-current-template-info-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AmentoTech–Tuturn | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in AmentoTech Tuturn allows Path Traversal.This issue affects Tuturn: from n/a before 3.6. | 2025-12-18 | 6.5 | CVE-2025-64235 | https://vdp.patchstack.com/database/wordpress/plugin/tuturn/vulnerability/wordpress-tuturn-plugin-3-6-arbitrary-file-download-vulnerability?_s_id=cve |
| Crocoblock–JetElements For Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crocoblock JetElements For Elementor allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through 2.7.12. | 2025-12-18 | 6.5 | CVE-2025-64355 | https://vdp.patchstack.com/database/wordpress/plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| glpi-project–glpi | GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch. | 2025-12-16 | 6.5 | CVE-2025-64520 | https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3 |
| pluginsGLPI–databaseinventory | pluginsGLPI’s Database Inventory Plugin “manages” the Teclib’ inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue. | 2025-12-19 | 6.4 | CVE-2025-65035 | https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-xc3r-32rx-3j4j https://github.com/pluginsGLPI/databaseinventory/commit/08c7055d2c5fc744cb092d7d56a608e359c56f1a https://github.com/pluginsGLPI/databaseinventory/blob/1.1.2/CHANGELOG.md#112—2025-11-25 |
| PickPlugins–Post Grid and Gutenberg Blocks | Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.17. | 2025-12-18 | 6.5 | CVE-2025-66058 | https://vdp.patchstack.com/database/wordpress/plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-17-broken-access-control-vulnerability-2?_s_id=cve |
| Hikvision–DS-7104HGHI-F1 | There is a privilege escalation vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and gaining access to an unrestricted shell environment. | 2025-12-19 | 6.2 | CVE-2025-66173 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/ |
| Hikvision–DS-7104HGHI-F1 | There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands. | 2025-12-19 | 6.5 | CVE-2025-66174 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/ |
| Foxit Software Inc.–webplugins.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received. | 2025-12-19 | 6.3 | CVE-2025-66500 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties. | 2025-12-19 | 6.3 | CVE-2025-66501 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded. | 2025-12-19 | 6.3 | CVE-2025-66502 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed. | 2025-12-19 | 6.3 | CVE-2025-66519 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered. | 2025-12-19 | 6.3 | CVE-2025-66520 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded. | 2025-12-19 | 6.3 | CVE-2025-66521 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded. | 2025-12-19 | 6.3 | CVE-2025-66522 | https://www.foxit.com/support/security-bulletins.html |
| netty–netty | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue. | 2025-12-16 | 6.5 | CVE-2025-67735 | https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4 |
| Mintlify–Mintlify Platform | The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant’s assets can be served on any other tenant’s documentation site. | 2025-12-19 | 6.4 | CVE-2025-67842 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28 https://news.ycombinator.com/item?id=46317098 https://heartbreak.ing |
| Mintlify–Mintlify Platform | A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences. | 2025-12-19 | 6.4 | CVE-2025-67845 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 https://heartbreak.ing/ |
| altcha-org–altcha-lib | ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `<salt>?expires=<time>&`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator. | 2025-12-16 | 6.5 | CVE-2025-68113 | https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8 https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114 https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0 https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08 https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0 https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1 https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1 |
| auth0–auth0-PHP | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue. | 2025-12-17 | 6.8 | CVE-2025-68129 | https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7 https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3 https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479 https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de https://github.com/auth0/auth0-PHP/releases/tag/8.18.0 https://github.com/auth0/laravel-auth0/releases/tag/7.20.0 https://github.com/auth0/symfony/releases/tag/5.6.0 https://github.com/auth0/wordpress/releases/tag/5.5.0 |
| tox-dev–filelock | filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. | 2025-12-16 | 6.3 | CVE-2025-68146 | https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f https://github.com/tox-dev/filelock/pull/461 https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e https://github.com/tox-dev/filelock/releases/tag/3.20.1 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token | 2025-12-16 | 6.5 | CVE-2025-68267 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Elastic–Packetbeat | Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid fragment sequence number. | 2025-12-18 | 6.5 | CVE-2025-68381 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-30/384178 |
| Elastic–Packetbeat | Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC messages. | 2025-12-18 | 6.5 | CVE-2025-68382 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-31/384179 |
| Elastic–Filebeat | Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. | 2025-12-18 | 6.5 | CVE-2025-68383 | https://discuss.elastic.co/t/filebeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-32/384180 |
| Elastic–Elasticsearch | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. | 2025-12-18 | 6.5 | CVE-2025-68384 | https://discuss.elastic.co/t/elasticsearch-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-33/384181 |
| Elastic–Kibana | Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator. | 2025-12-18 | 6.1 | CVE-2025-68387 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183 |
| Elastic–Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | 2025-12-18 | 6.5 | CVE-2025-68389 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-36/384184 |
| Arista Networks–EOS | On affected platforms running Arista EOS with OSPFv3 configured, a specially crafted packet can cause the OSFPv3 process to have high CPU utilization which may result in the OSFPv3 process being restarted. This may cause disruption in the OSFPv3 routes on the switch. This issue was discovered internally by Arista and is not aware of any malicious uses of this issue in customer networks. | 2025-12-16 | 6.5 | CVE-2025-8872 | https://www.arista.com/en/support/advisories-notices/security-advisory/23115-security-advisory-0128 |
| Zohocorp–ManageEngine Applications Manager | Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view. | 2025-12-18 | 6.1 | CVE-2025-9787 | https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9787.html |
| Kentico–Xperience | An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading. | 2025-12-18 | 5.3 | CVE-2019-25228 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure |
| Kentico–Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users’ browsers. | 2025-12-18 | 5.4 | CVE-2022-50681 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.88 Rich Text Editor Reflected XSS |
| Kentico–Xperience | An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messages. Detailed error messages can expose internal system information and potentially reveal implementation details to unauthorized users. | 2025-12-18 | 5.3 | CVE-2022-50686 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0 Portal Engine Form Control Information Disclosure |
| HappyFiles–HappyFiles Pro | Missing Authorization vulnerability in HappyFiles HappyFiles Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | 2025-12-21 | 5.4 | CVE-2023-25445 | https://vdp.patchstack.com/database/wordpress/plugin/happyfiles-pro/vulnerability/wordpress-happyfiles-pro-plugin-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Unknown–WBCE CMS | WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests. | 2025-12-16 | 5.4 | CVE-2023-53901 | ExploitDB-51566 WBCE CMS Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 Cross-Site Scripting and Open Redirect Vulnerability |
| websitebaker–WebsiteBaker | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks. | 2025-12-16 | 5.4 | CVE-2023-53903 | ExploitDB-51553 WebsiteBaker Product Webpage VulnCheck Advisory: WebsiteBaker 2.13.3 Stored Cross-Site Scripting via SVG File Upload |
| wbce-cms–WBCE CMS | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file. | 2025-12-17 | 5.4 | CVE-2023-53909 | ExploitDB-51484 Official Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 SVG File Content Cross-Site Scripting |
| wbce-cms–WBCE CMS | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script content in the content parameter to execute JavaScript when users view the affected page. | 2025-12-17 | 5.4 | CVE-2023-53910 | ExploitDB-51484 Official Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 Stored Cross-Site Scripting via Page Content |
| Zenphoto–Zenphoto | Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users view the album page. | 2025-12-17 | 5.4 | CVE-2023-53915 | ExploitDB-51485 Official Product Webpage VulnCheck Advisory: Zenphoto 1.6 Stored Cross-Site Scripting via Album Description |
| Zenphoto–Zenphoto | Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context. | 2025-12-17 | 5.4 | CVE-2023-53916 | ExploitDB-51485 Official Product Webpage VulnCheck Advisory: Zenphoto 1.6 Stored Cross-Site Scripting via User Postal Code Field |
| Podcastgenerator–PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page (episodes_list.php). | 2025-12-17 | 5.4 | CVE-2023-53918 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Episode Title Field |
| Ulicms–Ulicms | UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users. | 2025-12-17 | 5.4 | CVE-2023-53925 | ExploitDB-51435 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Stored Cross-Site Scripting via SVG File Upload |
| Php-fusion–PHPFusion | PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | 2025-12-17 | 5.4 | CVE-2023-53928 | ExploitDB-51411 Official Product Homepage VulnCheck Advisory: PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload |
| Revive-adserver–revive-adserver | Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page. | 2025-12-17 | 5.4 | CVE-2023-53931 | ExploitDB-51401 Official Product Homepage VulnCheck Advisory: Revive Adserver 5.4.1 Cross-Site Scripting via Banner Advanced Settings |
| Codester–WBiz Desk | WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the ‘tk’ parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive database information by sending malformed requests to the ticket endpoint. | 2025-12-18 | 5.4 | CVE-2023-53935 | ExploitDB-51451 Official Product Homepage VulnCheck Advisory: WBiz Desk 1.2 SQL Injection Vulnerability via ticket.php Parameter |
| tuzitio–Cameleon CMS | Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript. | 2025-12-18 | 5.4 | CVE-2023-53936 | ExploitDB-51446 Product GitHub Repository VulnCheck Advisory: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation |
| iwind–RockMongo | RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute arbitrary JavaScript in victim’s browser. | 2025-12-18 | 5.4 | CVE-2023-53938 | ExploitDB-51437 Official Product Homepage VulnCheck Advisory: RockMongo 1.1.7 Stored Cross-Site Scripting Vulnerability via Multiple Parameters |
| TinyWebGallery–TinyWebGallery | TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages. | 2025-12-18 | 5.4 | CVE-2023-53939 | ExploitDB-51442 Official Product Homepage VulnCheck Advisory: TinyWebGallery v2.5 Stored Cross-Site Scripting via Folder Name Parameter |
| Glpi-Project–GLPI | GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | 2025-12-18 | 5.3 | CVE-2023-53943 | ExploitDB-51418 Official Product Homepage VulnCheck Advisory: GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint |
| Kentico–Xperience | A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the ‘requireSSL’ attribute, potentially compromising session security and authentication state. | 2025-12-18 | 5.3 | CVE-2024-58317 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.164 Cookie Security Configuration |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious scripts to execute in users’ browsers. | 2025-12-18 | 5.4 | CVE-2024-58318 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.162 Rich Text Editor Stored XSS |
| Kentico–Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users’ browsers. | 2025-12-18 | 5.4 | CVE-2024-58319 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.160 Pages Dashboard Widget Reflected XSS |
| Kentico–Xperience | An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details. | 2025-12-18 | 5.3 | CVE-2024-58320 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.159 Authentication Information Disclosure |
| Mitsubishi Electric Corporation–GT Designer3 Version1 (GOT2000) | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GT Designer3 Version1 (GOT2000) all versions and Mitsubishi Electric GT Designer3 Version1 (GOT1000) all versions allows a local unauthenticated attacker to obtain plaintext credentials from the project file for GT Designer3. This could allow the attacker to operate illegally GOT2000 series or GOT1000 series by using the obtained credentials. | 2025-12-17 | 5.1 | CVE-2025-11009 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-017_en.pdf https://jvn.jp/vu/JVNVU99629801/ |
| jetmonsters–JetFormBuilder Dynamic Blocks Form Builder | The JetFormBuilder – Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site’s AI usage limits. | 2025-12-16 | 5.3 | CVE-2025-11991 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26 |
| ultimatemember–Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space. | 2025-12-20 | 5.3 | CVE-2025-12492 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/templates/members.php#L26 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-ajax-common.php#L61 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L2795 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L205 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/class-functions.php#L41 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3421362%40ultimate-member%2Ftrunk&old=3408617%40ultimate-member%2Ftrunk&sfp_email=&sfph_mail= |
| wedevs–Dokan Pro | The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates. | 2025-12-16 | 5.3 | CVE-2025-12809 | https://www.wordfence.com/threat-intel/vulnerabilities/id/534557b0-16d2-4a77-a118-b66fc7474ecf?source=cve https://dokan.co/wordpress/changelog/ |
| lbell–Pretty Google Calendar | The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin’s settings. | 2025-12-20 | 5.3 | CVE-2025-12898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24?source=cve https://wordpress.org/plugins/pretty-google-calendar/ |
| radykal–Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the ‘url’ parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php. | 2025-12-16 | 5.9 | CVE-2025-13439 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd6df9d-2963-44b1-bc4e-e53eda97a2a9?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| IBM–UCD – IBM DevOps Deploy | IBM UCD – IBM DevOps Deploy 8.1 through 8.1.2.3 Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. | 2025-12-15 | 5.9 | CVE-2025-13489 | https://www.ibm.com/support/pages/node/7254662 |
| croixhaug–Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services. | 2025-12-19 | 5.3 | CVE-2025-13754 | https://www.wordfence.com/threat-intel/vulnerabilities/id/10d7a50c-41e9-41b7-a171-d72dbe08e7b7?source=cve https://plugins.trac.wordpress.org/changeset/3421427/simply-schedule-appointments/trunk/includes/class-shortcodes.php |
| onesignal–OneSignal Web Push Notifications | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests. | 2025-12-15 | 5.3 | CVE-2025-13950 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cf2b5d05-24a3-4bc8-9dde-a7e8ce13ea16?source=cve https://github.com/OneSignal/OneSignal-WordPress-Plugin/pull/387/files |
| thimpress–LearnPress WordPress LMS Plugin | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin’s orders statistics, including total revenue summaries and order status counts | 2025-12-16 | 5.3 | CVE-2025-13956 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b833c3-818d-4646-bd6d-8b3be13ea0f1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/rest-api/v1/frontend/class-lp-rest-orders-controller.php#L36 |
| LINE Corporation–LINE client for Android | LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return from another application, potentially allowing attackers to conduct phishing attacks by impersonating legitimate interfaces. | 2025-12-15 | 5.4 | CVE-2025-14020 | https://hackerone.com/reports/2547989 |
| tainacan–Tainacan | The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site. | 2025-12-21 | 5.3 | CVE-2025-14043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5596a0f0-6bfe-4c6e-a0d6-117e13117098?source=cve https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php#L363 https://plugins.trac.wordpress.org/browser/tainacan/tags/1.0.1/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php#L363 |
| wplegalpages–Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent | The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID. | 2025-12-17 | 5.3 | CVE-2025-14061 | https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d?source=cve https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8091 https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8878 |
| wpshuffle–Frontend Post Submission Manager Lite Frontend Posting WordPress Plugin | The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors. | 2025-12-21 | 5.3 | CVE-2025-14080 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e9b6514-e727-42fe-8893-a317b71b2760?source=cve https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/cores/ajax-process-form.php#L104 https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.5/includes/cores/ajax-process-form.php#L104 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419835%40frontend-post-submission-manager-lite&new=3419835%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail= |
| Radiometer Medical Aps–ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A “Privilege boundary violation” vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain unauthorized access to functionalities outside the restricted environment. The vulnerability is due to weakness in the design of access control implementation in application software. Other related CVE’s are CVE-2025-14096 & CVE-2025-14097. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required configuration for Exposure: Physical access to the analyzer is needed. Temporary work Around: Only authorized people can physically access the analyzer. Permanent solution: Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided working proof-of-concept. Radiometer is not aware of any publicly available exploit at the time of publication. Note: CVSS score 6.8 when underlying OS is Windows 7 or Windows XP Operating systems and CVSS score 5.7 when underlying OS is Windows 8 or Windows 10 operating systems. | 2025-12-17 | 5.7 | CVE-2025-14095 | https://www.radiometer.com/myradiometer |
| damian-gora–FiboSearch Ajax Search for WooCommerce | The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch “Replace search bars” option enabled for TheGem integration. | 2025-12-20 | 5.4 | CVE-2025-14298 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8149103e-105d-401d-8a15-b07d131baaac?source=cve https://wordpress.org/plugins/ajax-search-for-woocommerce https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L94 https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L104 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3420841%40ajax-search-for-woocommerce%2Ftrunk&old=3398612%40ajax-search-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=#file136 |
| wpchill–Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators. | 2025-12-19 | 5.4 | CVE-2025-14455 | https://www.wordfence.com/threat-intel/vulnerabilities/id/830663b6-0786-48c7-9ffd-ac3ba2bd3e0c?source=cve https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L528 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L684 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L213 https://plugins.trac.wordpress.org/changeset/3417363/final-tiles-grid-gallery-lite/trunk/FinalTilesGalleryLite.php |
| Gralp Systems–Fortimus Series | A vulnerability in the web interface of the Güralp Fortimus Series, Minimus Series and Certimus Series allows an unauthenticated attacker with network access to send specially-crafted HTTP requests that can cause the web service process to deliberately restart. Although this mechanism limits the impact of the attack, it results in a brief denial-of-service condition during the restart. | 2025-12-16 | 5.3 | CVE-2025-14466 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-350-01.json |
| niao70–F70 Lead Document Download | The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘file_download’ function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs. | 2025-12-20 | 5.3 | CVE-2025-14633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61 https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61 |
| Shenzhen Sixun Software–Sixun Shanghui Group Business Management System | A vulnerability was identified in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this vulnerability is an unknown functionality of the file /api/GylOperator/UpdatePasswordBatch. The manipulation leads to weak password recovery. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14696 | VDB-336414 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System UpdatePasswordBatch password recovery VDB-336414 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705601 | Shenzhen Sixun Software Co., Ltd. Sissyun Shanghui 7 Online Business System 4.10.24.3 Unauthorized https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1 https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1#issue-3688839620 |
| Municorn–FAX App | A security vulnerability has been detected in Municorn FAX App 3.27.0 on Android. This vulnerability affects unknown code of the component biz.faxapp.app. Such manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14699 | VDB-336417 | Municorn FAX App biz.faxapp.app path traversal VDB-336417 | CTI Indicators (IOB, IOC, TTP) Submit #706215 | MUNICORN LIMITED(https://comfax.com/) FAX App: Send Faxes from Phone APP (biz.faxapp.app) Version:V3.27.0 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/3 |
| Shiguangwu–sgwbox N3 | A vulnerability has been found in Shiguangwu sgwbox N3 2.0.25. The affected element is an unknown function of the file /fsnotify of the component POST Message Handler. The manipulation of the argument token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14703 | VDB-336420 | Shiguangwu sgwbox N3 POST Message fsnotify improper authentication VDB-336420 | CTI Indicators (IOB, IOC, IOA) Submit #706914 | sgwbox N3 NAS V2.0.25 Auth Bypass https://www.notion.so/sgwbox-NAS-N3-Auth-Bypass-2be6cf4e528a8092b261fbc2abc3430c?source=copy_link |
| mansoormunib–RESPONSIVE AND SWIPE SLIDER! | The Responsive and Swipe slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s rsSlider shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-20 | 5.5 | CVE-2025-14721 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b82e6dce-b130-4025-b6e3-bde2350a6362?source=cve https://plugins.trac.wordpress.org/browser/responsive-and-swipe-slider/trunk/shortcode.php#L100 |
| nestornoe–Amazon affiliate lite Plugin | The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the ‘ADAL_settings_page’ function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 5.4 | CVE-2025-14734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8175ff00-e588-46cf-a743-9c4d4717657a?source=cve https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L99 |
| Ningyuanda–TC155 | A vulnerability was determined in Ningyuanda TC155 57.0.2.0. This affects an unknown function of the file /onvif/device_service of the component ONVIF Device Management Service. Executing manipulation of the argument FactoryDefault with the input Hard can lead to improper access controls. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 5.4 | CVE-2025-14748 | VDB-336521 | Ningyuanda TC155 ONVIF Device Management Service device_service access control VDB-336521 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707197 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Unauthenticated Hard Reset via ONVIF SetSystemFactoryDefault https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-Hard-Reset.md |
| AWS–S3 Encryption Client for .NET | Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for .NET to version 3.2.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14759 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-dotnet/security/advisories/GHSA-4v42-65r3-3gjx https://github.com/aws/amazon-s3-encryption-client-dotnet/releases/tag/release_2025-12-17 |
| AWS–AWS SDK for C++ | Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade AWS SDK for C++ to version 1.11.712 or later | 2025-12-17 | 5.3 | CVE-2025-14760 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-cpp/security/advisories/GHSA-792f-r46x-r7gm https://github.com/aws/aws-sdk-cpp/releases/tag/1.11.712 |
| AWS–AWS SDK for PHP | Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later | 2025-12-17 | 5.3 | CVE-2025-14761 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh https://github.com/aws/aws-sdk-php/releases/tag/3.368.0 |
| AWS–AWS SDK for Ruby | Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14762 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0 |
| AWS–S3 Encryption Client for Java | Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Java to version 4.0.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14763 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-java/security/advisories/GHSA-x44p-gvrj-pj2r https://github.com/aws/amazon-s3-encryption-client-java/releases/tag/v4.0.0 |
| AWS–S3 Encryption Client for Go | Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an “instruction file” instead of S3’s metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14764 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-go/security/advisories/GHSA-3g75-q268-r9r6 https://github.com/aws/amazon-s3-encryption-client-go/releases/tag/v4.0.0 |
| ConnectWise–ScreenConnect | In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components. | 2025-12-18 | 5.3 | CVE-2025-14823 | https://www.connectwise.com/company/trust/security-bulletins/2025-12-18-screenconnect-certificate-signing-extension-update |
| Red Hat–Red Hat Advanced Cluster Management for Kubernetes 2 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | 2025-12-18 | 5.3 | CVE-2025-14874 | https://access.redhat.com/security/cve/CVE-2025-14874 RHBZ#2418133 https://github.com/nodemailer/nodemailer https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150 https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v |
| Campcodes–Advanced Voting Management System | A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-18 | 5.4 | CVE-2025-14889 | VDB-337378 | Campcodes Advanced Voting Management System Password voters_edit.php improper authorization VDB-337378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715643 | campcodes Advanced Voting Management System using PHP/MySQLi 1.0 Authentication Bypass https://gist.github.com/nikstudy576-maker/82e1e1ede9b848880aa09b87b92bc22c https://www.campcodes.com/ |
| WebAssembly–Binaryen | A vulnerability was determined in WebAssembly Binaryen up to 125. Affected by this issue is the function WasmBinaryReader::readExport of the file src/wasm/wasm-binary.cpp. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: 4f52bff8c4075b5630422f902dd92a0af2c9f398. It is recommended to apply a patch to fix this issue. | 2025-12-19 | 5.3 | CVE-2025-14956 | VDB-337592 | WebAssembly Binaryen wasm-binary.cpp readExport heap-based overflow VDB-337592 | CTI Indicators (IOB, IOC, IOA) Submit #717315 | WebAssembly binaryen 9a226ac Heap-based Buffer Overflow https://github.com/WebAssembly/binaryen/issues/8089 https://github.com/WebAssembly/binaryen/pull/8092 https://github.com/oneafter/1204/blob/main/hbf https://github.com/WebAssembly/binaryen/commit/4f52bff8c4075b5630422f902dd92a0af2c9f398 |
| floooh–sokol | A security flaw has been discovered in floooh sokol up to 33e2271c431bf21de001e972f72da17a984da932. This vulnerability affects the function _sg_pipeline_common_init in the library sokol_gfx.h. Performing manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The patch is named 33e2271c431bf21de001e972f72da17a984da932. It is suggested to install a patch to address this issue. | 2025-12-19 | 5.3 | CVE-2025-14958 | VDB-337594 | floooh sokol sokol_gfx.h _sg_pipeline_common_init heap-based overflow VDB-337594 | CTI Indicators (IOB, IOC, IOA) Submit #717320 | floooh sokol e0832c9 Heap-based Buffer Overflow https://github.com/floooh/sokol/issues/1406 https://github.com/floooh/sokol/issues/1406#issuecomment-3649515551 https://github.com/oneafter/1212/blob/main/hbf1 https://github.com/seyhajin/sokol/commit/33e2271c431bf21de001e972f72da17a984da932 |
| 1541492390c–yougou-mall | A vulnerability was found in 1541492390c yougou-mall up to 0a771fa817c924efe52c8fe0a9a6658eee675f9f. This impacts the function Upload of the file src/main/java/per/ccm/ygmall/extra/controller/ResourceController.java. Performing manipulation results in path traversal. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-19 | 5.5 | CVE-2025-14965 | VDB-337600 | 1541492390c yougou-mall ResourceController.java upload path traversal VDB-337600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717732 | https://github.com/1541492390c/yougou-mall?tab=readme-ov-file yougou-mall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/yougou-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| Restajet Information Technologies Inc.–Online Food Delivery System | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 5.4 | CVE-2025-1885 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| IBM–UCD – IBM UrbanCode Deploy | IBM UCD – IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD – IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions. | 2025-12-15 | 5 | CVE-2025-36360 | https://www.ibm.com/support/pages/node/7254661 |
| Elastic–Kibana | Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection. | 2025-12-15 | 5.4 | CVE-2025-37732 | https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-28/384064 |
| avahi–avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | 2025-12-18 | 5.5 | CVE-2025-59529 | https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q https://github.com/avahi/avahi/pull/808 https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529 |
| FreshRSS–FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | 2025-12-18 | 5.3 | CVE-2025-59949 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w7f5-8vf9-f966 https://github.com/FreshRSS/FreshRSS/pull/7958 https://github.com/FreshRSS/FreshRSS/pull/7997 https://github.com/FreshRSS/FreshRSS/pull/7999 |
| HCL Software–DevOps Deploy / Launch | HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions. | 2025-12-16 | 5 | CVE-2025-62329 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| HCL Software–DevOps Deploy | HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks. | 2025-12-16 | 5.9 | CVE-2025-62330 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127333 |
| Sparkle WP–Construction Light | Missing Authorization vulnerability in Sparkle WP Construction Light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through 1.6.7. | 2025-12-18 | 5.4 | CVE-2025-62960 | https://vdp.patchstack.com/database/wordpress/theme/construction-light/vulnerability/wordpress-construction-light-theme-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| Sparkle WP–Sparkle FSE | Missing Authorization vulnerability in Sparkle WP Sparkle FSE allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sparkle FSE: from n/a through 1.0.9. | 2025-12-18 | 5.4 | CVE-2025-62961 | https://vdp.patchstack.com/database/wordpress/theme/sparkle-fse/vulnerability/wordpress-sparkle-fse-theme-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah–WP AI CoPilot | Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through 1.2.7. | 2025-12-18 | 5 | CVE-2025-62998 | https://vdp.patchstack.com/database/wordpress/plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpforchurch–Sermon Manager | Missing Authorization vulnerability in wpforchurch Sermon Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sermon Manager: from n/a through 2.30.0. | 2025-12-18 | 5.3 | CVE-2025-63002 | https://vdp.patchstack.com/database/wordpress/plugin/sermon-manager-for-wordpress/vulnerability/wordpress-sermon-manager-plugin-2-30-0-broken-access-control-vulnerability?_s_id=cve |
| PickPlugins–Post Grid and Gutenberg Blocks | Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.19. | 2025-12-18 | 5.3 | CVE-2025-63043 | https://vdp.patchstack.com/database/wordpress/plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-19-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WeblateOrg–weblate | Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message. | 2025-12-15 | 5 | CVE-2025-66407 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm https://github.com/WeblateOrg/weblate/pull/17102 https://github.com/WeblateOrg/weblate/pull/17103 |
| Foxit Software Inc.–Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing PRC data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66496 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing PRC data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66497 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing U3D data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66498 | https://www.foxit.com/support/security-bulletins.html |
| WeblateOrg–weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability. | 2025-12-16 | 5.3 | CVE-2025-67492 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf https://github.com/WeblateOrg/weblate/pull/17221 |
| Mintlify–Mintlify Platform | The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user’s organization. | 2025-12-19 | 5 | CVE-2025-67844 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| MISP–MISP | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | 2025-12-15 | 5.4 | CVE-2025-67906 | https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054 https://vulnerability.circl.lu/vuln/gcve-1-2025-0031 https://github.com/franckferman/GCVE-1-2025-0030 https://github.com/MISP/MISP/compare/v2.5.27…v2.5.28 https://github.com/franckferman/CVE-2025-67906 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup | 2025-12-16 | 5.4 | CVE-2025-68165 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab | 2025-12-16 | 5.4 | CVE-2025-68166 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page | 2025-12-16 | 5.4 | CVE-2025-68268 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH | 2025-12-16 | 5.4 | CVE-2025-68269 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Elastic–Packetbeat | Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat. | 2025-12-18 | 5.3 | CVE-2025-68388 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-29/384177 |
| fastapi-users–fastapi-users | FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `…/callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for ~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker’s account. Version 15.0.2 contains a patch for the issue. | 2025-12-19 | 5.9 | CVE-2025-68481 | https://github.com/fastapi-users/fastapi-users/security/advisories/GHSA-5j53-63w8-8625 https://github.com/fastapi-users/fastapi-users/commit/7cf413cd766b9cb0ab323ce424ddab2c0d235932 https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L111 https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L57 |
| Hitachi Vantara–Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet. | 2025-12-15 | 5.3 | CVE-2025-9122 | https://support.pentaho.com/hc/en-us/articles/41833799577741–Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122 |
| Kentico–Xperience | An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls. | 2025-12-18 | 4.3 | CVE-2019-25230 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.0 User Widget Information Disclosure |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users’ browsers when administrators view error messages in the administration interface. | 2025-12-18 | 4.6 | CVE-2020-36889 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.90 Administration Interface Stored XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute in users’ browsers. | 2025-12-18 | 4.6 | CVE-2020-36891 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.49 File Upload Stored XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information. | 2025-12-18 | 4.6 | CVE-2022-50680 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.92 Email Marketing Stored XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users’ browsers through unvalidated form configuration settings. | 2025-12-18 | 4.6 | CVE-2022-50683 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.74 Form Configuration Stored XSS |
| Kentico–Xperience | An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security. | 2025-12-18 | 4.6 | CVE-2022-50684 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.71 Form Emails HTML Injection |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute in users’ browsers. | 2025-12-18 | 4.6 | CVE-2022-50685 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.56 File Upload Stored XSS |
| Mapro Collins–Magazine Edge | Missing Authorization vulnerability in Mapro Collins Magazine Edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through 1.13. | 2025-12-20 | 4.3 | CVE-2023-25068 | https://vdp.patchstack.com/database/wordpress/theme/magazine-edge/vulnerability/wordpress-magazine-edge-theme-1-13-authenticated-arbitrary-plugin-activation?_s_id=cve |
| mojofywp–WP Affiliate Disclosure | Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6. | 2025-12-21 | 4.3 | CVE-2023-47232 | https://vdp.patchstack.com/database/wordpress/plugin/wp-affiliate-disclosure/vulnerability/wordpress-wp-affiliate-disclosure-plugin-1-2-6-broken-access-control-csrf-vulnerability?_s_id=cve |
| Kentico–Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context. | 2025-12-18 | 4.6 | CVE-2023-53736 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.120 Administration Interface Reflected XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface. | 2025-12-18 | 4.6 | CVE-2023-53737 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.101 Localization Application Stored XSS |
| Kentico–Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to execute arbitrary scripts in users’ browsers during page preview interactions. | 2025-12-18 | 4.6 | CVE-2023-53738 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.109 Page Preview Reflected XSS |
| Rukovoditel–Rukovoditel | Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | 2025-12-16 | 4.6 | CVE-2023-53897 | ExploitDB-51548 Rukovoditel Product Webpage VulnCheck Advisory: Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Comments |
| Rukovoditel–Rukovoditel | Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers. | 2025-12-16 | 4.6 | CVE-2023-53898 | ExploitDB-51548 Rukovoditel Product Webpage VulnCheck Advisory: Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Configuration |
| Xenforo–Xenforo | Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks. | 2025-12-17 | 4.6 | CVE-2023-53904 | ExploitDB-51547 Official Product Webpage VulnCheck Advisory: Xenforo 2.2.13 Authenticated Stored Cross-Site Scripting via Smilie Categories |
| projectSend–projectSend | projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection. | 2025-12-17 | 4.6 | CVE-2023-53906 | ExploitDB-51518 Official Product Webpage VulnCheck Advisory: ProjectSend r1605 Stored Cross-Site Scripting via Custom Assets Page |
| Tmrswrr–Textpattern CMS | Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users. | 2025-12-17 | 4.6 | CVE-2023-53911 | ExploitDB-51523 Official Product Webpage VulnCheck Advisory: Textpattern CMS 4.8.8 Authenticated Stored Cross-Site Scripting via Article Excerpt |
| Podcastgenerator–PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into the Freebox content execute when users visit the application’s home page. | 2025-12-17 | 4.6 | CVE-2023-53919 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Freebox Content Field |
| Podcastgenerator–PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute when users visit the application’s home page. | 2025-12-17 | 4.6 | CVE-2023-53920 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Podcast Title Field |
| s9y–Serendipity | Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post. | 2025-12-17 | 4.6 | CVE-2023-53932 | ExploitDB-51373 Official Product Homepage VulnCheck Advisory: Serendipity 2.4.0 Stored Cross-Site Scripting via Admin Entry Creation |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users’ browsers. | 2025-12-18 | 4.6 | CVE-2024-58321 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.159 Form Validation Stored XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users’ browsers. | 2025-12-18 | 4.6 | CVE-2024-58322 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.158 Shipping Options Stored XSS |
| Kentico–Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users’ browsers by exploiting HTML support in the form builder. | 2025-12-18 | 4.6 | CVE-2024-58323 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.158 Checkbox Form Component Stored XSS |
| wpdevteam–Gutenberg Essential Blocks Page Builder for Gutenberg Blocks & Patterns | The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services. | 2025-12-17 | 4.3 | CVE-2025-11369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108 https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20 https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50 |
| saadiqbal–myCred Points Management System For Gamification, Ranks, Badges, and Loyalty Program. | The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed. | 2025-12-19 | 4.3 | CVE-2025-12361 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43b05697-bc36-4f32-86b4-2feef892fe42?source=cve https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/banking/services/mycred-service-central.php#L172 https://plugins.trac.wordpress.org/changeset/3421768/mycred/trunk?contextall=1&old=3417299&old_path=%2Fmycred%2Ftrunk |
| dylanjkotze–Zephyr Project Manager | The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery | 2025-12-17 | 4.9 | CVE-2025-12496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506 https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870 |
| ninjateam–FileBird WordPress Media Library Folders & File Manager | The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the “ConvertController::insertToNewTable” function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances. | 2025-12-15 | 4.3 | CVE-2025-12900 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36?source=cve https://plugins.trac.wordpress.org/changeset/3411587 |
| realmag777–HUSKY Products Filter Professional for WooCommerce | The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the “woof_add_subscr” function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators. | 2025-12-18 | 4.3 | CVE-2025-13110 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea2dfc5-0dcc-4ea1-9ade-d59021e078fa?source=cve https://plugins.trac.wordpress.org/changeset/3412492/woocommerce-products-filter https://plugins.trac.wordpress.org/changeset/3415428/woocommerce-products-filter |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack. | 2025-12-17 | 4.3 | CVE-2025-13324 | https://mattermost.com/security-updates |
| dipesh_patel–Web to SugarCRM Lead | The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-21 | 4.3 | CVE-2025-13361 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b7c54b5d-ad73-44f1-afdb-01136ec0b9ae?source=cve https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/trunk/wpscl-admin-functions.php#L496 https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/tags/1.0.0/wpscl-admin-functions.php#L496 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3423497%40web-to-sugarcrm-lead&new=3423497%40web-to-sugarcrm-lead |
| codename065–Download Manager | The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files. | 2025-12-18 | 4.3 | CVE-2025-13498 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cdd50d-6290-4cef-a72c-2e9d680d4f1f?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L26 https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L275 https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L299 https://plugins.trac.wordpress.org/changeset/3413804/ |
| publishpress–Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability. | 2025-12-16 | 4.3 | CVE-2025-13741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376 |
| mateuszgbiorczyk–Converter for Media Optimize images | Convert WebP & AVIF | The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments. | 2025-12-17 | 4.3 | CVE-2025-13750 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media |
| themeisle–Auto Featured Image (Auto Post Thumbnail) | The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own. | 2025-12-16 | 4.3 | CVE-2025-13794 | https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425 |
| wpchill–Image Gallery Photo Grid & Video Gallery | The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users. | 2025-12-15 | 4.3 | CVE-2025-14003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4490afba-1487-40a4-99c6-c753acb10df3?source=cve https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery |
| LINE Corporation–LINE client for iOS | The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying trusted URLs, enabling phishing attacks through overlaid malicious content. | 2025-12-15 | 4.3 | CVE-2025-14021 | https://hackerone.com/reports/2548498 |
| hasthemes–WC Builder WooCommerce Page Builder for WPBakery | The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘heading_color’ parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 4.4 | CVE-2025-14054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4fe4b6-cc1e-40be-bd2e-bf2745244892?source=cve https://plugins.trac.wordpress.org/browser/wc-builder/trunk/includes/addons/product_additional_information.php#L33 https://plugins.trac.wordpress.org/browser/wc-builder/tags/1.2.0/includes/addons/product_additional_information.php#L33 https://plugins.trac.wordpress.org/changeset/3419217/ |
| ultimatemember–Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to “Only me”) via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role. | 2025-12-17 | 4.3 | CVE-2025-14081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610 https://plugins.trac.wordpress.org/changeset/3421362/ |
| edckwt–Quran Gateway | The Quran Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation in the quran_gateway_options function. This makes it possible for unauthenticated attackers to modify the plugin’s display settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 4.3 | CVE-2025-14164 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e16da38-709a-4b9a-9f00-efe8459a1318?source=cve https://plugins.trac.wordpress.org/browser/quran-gateway/trunk/admin.php#L457 https://plugins.trac.wordpress.org/browser/quran-gateway/tags/1.5/admin.php#L457 |
| wpmaniax–WP DB Booster | The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 4.3 | CVE-2025-14168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0af0a4-81b5-425e-aba3-0c422aa33634?source=cve https://plugins.trac.wordpress.org/browser/wp-db-booster/trunk/admin/class-wp-db-booster-admin.php#L336 https://plugins.trac.wordpress.org/browser/wp-db-booster/tags/1.0.1/admin/class-wp-db-booster-admin.php#L336 |
| bdthemes–Prime Slider Addons for Elementor | The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-18 | 4.3 | CVE-2025-14277 | https://www.wordfence.com/threat-intel/vulnerabilities/id/069a56a1-ca17-43cc-a51f-51b6111f5b61?source=cve https://plugins.trac.wordpress.org/changeset/3419222/bdthemes-prime-slider-lite |
| wpcodefactory–Download Plugins and Themes in ZIP from Dashboard | The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-17 | 4.3 | CVE-2025-14399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/845b6bcf-004b-4b92-88d7-3d331fa58c11?source=cve https://plugins.trac.wordpress.org/changeset/3417484/download-plugins-dashboard |
| listingthemes–Sweet Energy Efficiency | The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the ‘sweet_energy_efficiency_action’ AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs. | 2025-12-18 | 4.3 | CVE-2025-14618 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ccc8b30-1bdf-4335-85a9-79c6f9a88afc?source=cve https://plugins.trac.wordpress.org/changeset/3417589/sweet-energy-efficiency https://plugins.trac.wordpress.org/changeset/3420909/sweet-energy-efficiency |
| ketr–JEPaaS | A vulnerability was found in ketr JEPaaS up to 7.2.8. This impacts the function readAllPostil of the file /je/postil/postil/readAllPostil. Performing manipulation of the argument keyWord results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.7 | CVE-2025-14694 | VDB-336412 | ketr JEPaaS readAllPostil sql injection VDB-336412 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707178 | JEPaaS v7.2.8 SQL Injection https://github.com/c3p0ooo-Yiqiyin/JEPaaS-readAllPostil-SQL-Injection-Vulnerability/blob/main/README.md |
| atlaszz AI Photo Team–Galleryit App | A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.4 | CVE-2025-14698 | VDB-336416 | atlaszz AI Photo Team Galleryit App gallery.photogallery.pictures.vault.album path traversal VDB-336416 | CTI Indicators (IOB, IOC, TTP) Submit #706213 | BETTER FITNESS LIMITED (https://atlaszz.com/) Galleryit – Photo Vault, Album (gallery.photogallery.pictures.vault.album) V1.3.8.2 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/2 |
| Smartbit CommV–Smartschool App | A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.4 | CVE-2025-14702 | VDB-336419 | Smartbit CommV Smartschool App be.smartschool.mobile.SplashActivity path traversal VDB-336419 | CTI Indicators (IOB, IOC, TTP) Submit #706220 | Smartbit(http://www.smartschool.be/) Smartschool (be.smartschool.mobile) V10.4.4 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/4 |
| CTCMS–Content Management System | A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-15 | 4.7 | CVE-2025-14729 | VDB-336486 | CTCMS Content Management System Backend App Configuration Ct_App.php save code injection VDB-336486 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707104 | ctcms 2.1.2 Command Injection https://note-hxlab.wetolink.com/share/R3y6uiOuuYbA |
| CTCMS–Content Management System | A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-15 | 4.7 | CVE-2025-14730 | VDB-336487 | CTCMS Content Management System Backend System Configuration Ct_Config.php code injection VDB-336487 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707105 | ctcms 2.1.2 Command Injection https://note-hxlab.wetolink.com/share/87u6f02Gho0K |
| nestornoe–Amazon affiliate lite Plugin | The “Amazon affiliate lite Plugin” plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-20 | 4.4 | CVE-2025-14735 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105 https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236 |
| Ningyuanda–TC155 | A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 4.3 | CVE-2025-14746 | VDB-336519 | Ningyuanda TC155 RTSP Live Video Stream Endpoint improper authentication VDB-336519 | CTI Indicators (IOB, IOC) Submit #707195 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware Version 57.0.2.0 Missing Critical Step in Authentication https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-RTSP.md |
| Ningyuanda–TC155 | A vulnerability was found in Ningyuanda TC155 57.0.2.0. The impacted element is an unknown function of the component RTSP Service. Performing manipulation results in denial of service. The attack must originate from the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 4.3 | CVE-2025-14747 | VDB-336520 | Ningyuanda TC155 RTSP Service denial of service VDB-336520 | CTI Indicators (IOB, IOC) Submit #707196 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Improper Check or Handling of Exceptional Conditions https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-Malformed-RTSP-Describe-Request.md |
| ZZCMS–ZZCMS | A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-17 | 4.7 | CVE-2025-14837 | VDB-336987 | ZZCMS Backend Website Settings siteconfig.php stripfxg code injection VDB-336987 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711655 | zzcms zzcms2025 Command Injection https://note-hxlab.wetolink.com/share/ekNgcv2wVBya |
| Advantech–WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files. | 2025-12-18 | 4.3 | CVE-2025-14848 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| CodeAstro–Real Estate Management System | A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-18 | 4.7 | CVE-2025-14897 | VDB-337422 | CodeAstro Real Estate Management System Administrator Endpoint useragentdelete.php sql injection VDB-337422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715668 | PHPGurukul CodeAstro Real Estate Management System 1.0 Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/sqli-useragentdelete.md https://codeastro.com/ |
| CodeAstro–Real Estate Management System | A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-18 | 4.7 | CVE-2025-14898 | VDB-337423 | CodeAstro Real Estate Management System Administrator Endpoint userbuilderdelete.php sql injection VDB-337423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715670 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/sqli-userbuilderdelete.php.md https://codeastro.com/ |
| CodeAstro–Real Estate Management System | A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 4.7 | CVE-2025-14899 | VDB-337424 | CodeAstro Real Estate Management System Administrator Endpoint stateadd.php sql injection VDB-337424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715671 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/stateadd.php-sqli.md https://codeastro.com/ |
| CodeAstro–Real Estate Management System | A security vulnerability has been detected in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /admin/userdelete.php of the component Administrator Endpoint. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 4.7 | CVE-2025-14900 | VDB-337425 | CodeAstro Real Estate Management System Administrator Endpoint userdelete.php sql injection VDB-337425 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715672 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/userdelete-sqli.md https://codeastro.com/ |
| JeecgBoot–JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This patch is called b686f9fbd1917edffe5922c6362c817a9361cfbd. Applying a patch is advised to resolve this issue. | 2025-12-19 | 4.3 | CVE-2025-14909 | VDB-337433 | JeecgBoot SysUserOnlineController.java SysUserOnlineController user session VDB-337433 | CTI Indicators (IOB, IOC, IOA) Submit #715743 | jeecgboot 3.9.0 bfla https://github.com/jeecgboot/JeecgBoot/issues/9195 https://github.com/jeecgboot/JeecgBoot/issues/9195#issue-3719368751 https://github.com/jeecgboot/JeecgBoot/commit/b686f9fbd1917edffe5922c6362c817a9361cfbd |
| Edimax–BR-6208AC | A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Edimax confirms this issue: “This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models.” This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-19 | 4.3 | CVE-2025-14910 | VDB-337435 | Edimax BR-6208AC FTP Daemon Service handle_retr path traversal VDB-337435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713704 | Edimax BR-6208AC V2_1.02 Absolute Path Traversal https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Path-Traversal-Vulnerability-in-FTPd-2c4b5c52018a80fb8812f7d510abf558?source=copy_link |
| code-projects–Online Appointment Booking System | A vulnerability was found in code-projects Online Appointment Booking System 1.0. Impacted is an unknown function of the file /admin/deletemanager.php. The manipulation of the argument managername results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-19 | 4.7 | CVE-2025-14939 | VDB-337519 | code-projects Online Appointment Booking System deletemanager.php sql injection VDB-337519 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715796 | code-projects Online Appointment Booking System V1.0 SQL injection https://github.com/wegitlab/cve/issues/1 https://code-projects.org/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with ‘-o’ are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. | 2025-12-19 | 4.8 | CVE-2025-14946 | https://access.redhat.com/security/cve/CVE-2025-14946 RHBZ#2423789 https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security |
| code-projects–Simple Stock System | A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-12-19 | 4.3 | CVE-2025-14962 | VDB-337598 | code-projects Simple Stock System chatuser.php cross site scripting VDB-337598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717640 | Code-projects Simple Stock System v1.0 Reflective XSS vulnerability https://github.com/wyxclcw/CVE/issues/1 https://code-projects.org/ |
| FastAdmin–FastAdmin | A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing manipulation of the argument custom/searchField can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-19 | 4.7 | CVE-2025-14966 | VDB-337601 | FastAdmin Backend Controller Backend.php selectpage sql injection VDB-337601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718309 | FastAdmin 1.7.0.20250506 SQL Injection Submit #718339 | FastAdmin 1.7.0.20250506 SQL Injection (Duplicate) https://note-hxlab.wetolink.com/share/1924AEdgGFYu https://note-hxlab.wetolink.com/share/auEz57nwynMq |
| SeaCMS–SeaCMS | A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-12-21 | 4.7 | CVE-2025-15003 | VDB-337708 | SeaCMS admin_video.php sql injection VDB-337708 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716084 | SeaCMS 13.3 SQL Injection https://note-hxlab.wetolink.com/share/aTI1wPFLm7FG |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions. | 2025-12-18 | 4.7 | CVE-2025-40891 | https://security.nozominetworks.com/NN-2025:12-01 |
| HCL Software–BigFix Remote Control | Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | 2025-12-17 | 4.7 | CVE-2025-59849 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| BullWall–Ransomware Containment | BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 4.3 | CVE-2025-62002 | url url |
| Mattermost–Mattermost | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link | 2025-12-17 | 4.3 | CVE-2025-62190 | https://mattermost.com/security-updates |
| HappyDevs–TempTool | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HappyDevs TempTool allows Retrieve Embedded Sensitive Data.This issue affects TempTool: from n/a through 1.3.1. | 2025-12-21 | 4.3 | CVE-2025-62955 | https://vdp.patchstack.com/database/wordpress/plugin/current-template-name/vulnerability/wordpress-temptool-show-current-template-info-plugin-1-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| RadiusTheme–Radius Blocks | Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through 2.2.1. | 2025-12-18 | 4.3 | CVE-2025-64282 | https://vdp.patchstack.com/database/wordpress/plugin/radius-blocks/vulnerability/wordpress-radius-blocks-plugin-2-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Palantir–com.palantir.controlpanel:control-panel | Control Panel provides an API for pre-registering into an enrollment and organization prior to a user’s first login. The API for creating users checks that the account requesting a user creation has `edit` on the enrollment-level user directory, but is missing a separate check that the enrollment editor has access (or belongs to) the organization that they are adding a user to. | 2025-12-18 | 4.1 | CVE-2025-64400 | https://palantir.safebase.us/?tcuUid=52a9fd2f-1868-48cb-af01-93c589160e19 |
| Advantech–WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files. | 2025-12-18 | 4.3 | CVE-2025-67653 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Esri–ArcGIS Web AppBuilder {Developer Edition) | There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim’s browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability. | 2025-12-19 | 4.7 | CVE-2025-67712 | https://support.esri.com/en-us/knowledge-base/deprecation-arcgis-web-appbuilder-000036340 |
| WeblateOrg–weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | 2025-12-16 | 4.3 | CVE-2025-67715 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4 https://github.com/WeblateOrg/weblate/pull/17256 |
| Mintlify–Mintlify Platform | The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version. | 2025-12-19 | 4.9 | CVE-2025-67846 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| capstone-engine–capstone | Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue. | 2025-12-17 | 4.8 | CVE-2025-67873 | https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3 |
| capstone-engine–capstone | Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream’s index negative or past the end, leading to a stack buffer underflow/overflow when the next write occurs. Commit 2c7797182a1618be12017d7d41e0b6581d5d529e fixes the issue. | 2025-12-17 | 4.8 | CVE-2025-68114 | https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e |
| Elastic–Kibana | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document’s sharing type to “global,” even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request. | 2025-12-18 | 4.3 | CVE-2025-68386 | https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186 |
| Elastic–Elasticsearch | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. | 2025-12-18 | 4.9 | CVE-2025-68390 | https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185 |
| Elastic–Kibana | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries – read permission to successfully retrieve the list of live queries. | 2025-12-18 | 4.3 | CVE-2025-68422 | https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187 |
| Biopython–Biopython | Bio.Entrez in Biopython through 186 allows doctype XXE. | 2025-12-18 | 4.9 | CVE-2025-68463 | https://github.com/biopython/biopython/issues/5109 |
| Utarit Informatics Services Inc.–SoliClub | Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7. | 2025-12-18 | 4.3 | CVE-2025-7047 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| JobCareer–WP JobHunt | The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the ‘cs_update_application_status_callback’ due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user. | 2025-12-20 | 4.3 | CVE-2025-7733 | https://www.wordfence.com/threat-intel/vulnerabilities/id/409bcd8c-6cd3-4022-a67f-57e901c83d66?source=cve https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost–Mattermost | Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. | 2025-12-17 | 3.3 | CVE-2025-13321 | https://mattermost.com/security-updates |
| Mattermost–Mattermost | Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | 2025-12-17 | 3.9 | CVE-2025-13326 | https://mattermost.com/security-updates |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | 2025-12-17 | 3 | CVE-2025-13352 | https://mattermost.com/security-updates |
| LINE Corporation–LINE client for Android | LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing attackers to conduct phishing attacks. | 2025-12-15 | 3.4 | CVE-2025-14019 | https://hackerone.com/reports/3062270 |
| LINE Corporation–LINE client for iOS | LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser’s user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions. | 2025-12-15 | 3.1 | CVE-2025-14023 | https://hackerone.com/reports/3260386 |
| Shenzhen Sixun Software–Sixun Shanghui Group Business Management System | A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 3.7 | CVE-2025-14697 | VDB-336415 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System ExportFiles file access VDB-336415 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705619 | Shenzhen Sixun Software Co., Ltd. Sissyun Shanghui 7 Online Business System 4.10.24.3 Unauthorized https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/2 https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/2#issue-3689006583 |
| OFFIS–DCMTK | A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component. | 2025-12-18 | 3.3 | CVE-2025-14841 | VDB-337004 | OFFIS DCMTK dcmqrscp dcmqrdbi.cc startMoveRequest null pointer dereference VDB-337004 | CTI Indicators (IOB, IOC, IOA) Submit #714605 | OFFIS DCMTK 3.6.9 Denial of Service Submit #714634 | OFFIS DCMTK 3.6.9 Denial of Service (Duplicate) https://support.dcmtk.org/redmine/issues/1183 https://github.com/DCMTK/dcmtk/commit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030 https://github.com/DCMTK/dcmtk/releases/tag/DCMTK-3.7.0 |
| Open5GS–Open5GS | A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue. | 2025-12-19 | 3.1 | CVE-2025-14953 | VDB-337589 | Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference VDB-337589 | CTI Indicators (IOB, IOC, IOA) Submit #716799 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4179 https://github.com/open5gs/open5gs/issues/4179#issuecomment-3614868758 https://github.com/open5gs/open5gs/issues/4179#issue-3666399406 https://github.com/open5gs/open5gs/commit/93a9fd98a8baa94289be3b982028201de4534e32 |
| Open5GS–Open5GS | A vulnerability has been found in Open5GS up to 2.7.5. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack’s complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue. | 2025-12-19 | 3.7 | CVE-2025-14954 | VDB-337590 | Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion VDB-337590 | CTI Indicators (IOB, IOC, IOA) Submit #716810 | Open5GS v2.7.5 CWE-617 Reachable Assertion https://github.com/open5gs/open5gs/issues/4181 https://github.com/open5gs/open5gs/issues/4181#issuecomment-3615646842 https://github.com/open5gs/open5gs/issues/4181#issue-3667069101 https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7 |
| Open5GS–Open5GS | A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue. | 2025-12-19 | 3.7 | CVE-2025-14955 | VDB-337591 | Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization VDB-337591 | CTI Indicators (IOB, IOC, IOA) Submit #716841 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4182 https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878 https://github.com/open5gs/open5gs/issues/4182#issue-3670797098 https://github.com/open5gs/open5gs/commit/773117aa5472af26fc9f80e608d3386504c3bdb7 |
| WebAssembly–Binaryen | A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue. | 2025-12-19 | 3.3 | CVE-2025-14957 | VDB-337593 | WebAssembly Binaryen IRBuilder wasm-ir-builder.cpp makeLocalTee null pointer dereference VDB-337593 | CTI Indicators (IOB, IOC, IOA) Submit #717317 | WebAssembly binaryen e7706b3 Memory Corruption Submit #717319 | WebAssembly binaryen e7706b3 Memory Corruption (Duplicate) https://github.com/WebAssembly/binaryen/issues/8090 https://github.com/WebAssembly/binaryen/pull/8099 https://github.com/oneafter/1204/blob/main/af1 https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4 |
| HCL Software–BigFix Remote Control | Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages. | 2025-12-17 | 3.7 | CVE-2025-55254 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| Mattermost–Mattermost | Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab. | 2025-12-17 | 3.1 | CVE-2025-62690 | https://mattermost.com/security-updates |
| Microsoft–Microsoft Edge for Android | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2025-12-18 | 3.1 | CVE-2025-65046 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page | 2025-12-16 | 3.5 | CVE-2025-68163 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Debian–FreedomBox | Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases. | 2025-12-18 | 3.2 | CVE-2025-68462 | https://salsa.debian.org/freedombox-team/freedombox/-/commit/8ba444990b4af6eec4b6b2b26482b107d |
| wpvividplugins–Migration, Backup, Staging WPvivid Backup & Migration | The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories. | 2025-12-21 | 2.7 | CVE-2025-12654 | https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568 https://wordpress.org/plugins/wpvivid-backuprestore/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail= |
| vion707–DMadmin | A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 2.4 | CVE-2025-14722 | VDB-336467 | vion707 DMadmin Backend AddonsController.class.php add cross site scripting VDB-336467 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707130 | 大漠急速开发 DMadmin Based on ThinkPhp 3.23 development version xss https://github.com/DeepMountains/zzz/blob/main/CVE-2025-2-2.md |
| xiweicheng–TMS | A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-17 | 2.4 | CVE-2025-14801 | VDB-336939 | xiweicheng TMS create createComment cross site scripting VDB-336939 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708322 | xiweicheng TMS v2.28.0 Cross Site Scripting https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/TMS_v2.28.0_XSS-1.md |
| ZZCMS–ZZCMS | A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-12-17 | 2.7 | CVE-2025-14836 | VDB-336986 | ZZCMS User Data Storage user_save.php cleartext storage in a file or on disk VDB-336986 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711654 | zzcms zzcms2025 Plaintext Password in Configuration File https://note-hxlab.wetolink.com/share/bu2KYevoyBm6 |
| Campcodes–Complete Online Beauty Parlor Management System | A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-21 | 2.4 | CVE-2025-14991 | VDB-337685 | Campcodes Complete Online Beauty Parlor Management System bwdates-reports-details.php cross site scripting VDB-337685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718458 | campcodes Complete Online Beauty Parlor Management System V1.0 cross site scripting https://github.com/funnnxxx/my-cve/issues/1 https://www.campcodes.com/ |
| Sunbird–Sunbird | An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has been addressed in Power IQ version 9.2.1, where the API call code was updated to ensure safe handling of input values. | 2025-12-15 | 2.5 | CVE-2025-55703 | https://www.sunbirddcim.com/ https://pastebin.com/C6hVPpF4 |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration | 2025-12-16 | 2.7 | CVE-2025-68162 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains–TeamCity | In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | 2025-12-16 | 2.7 | CVE-2025-68164 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Netaxis–Netaxis | Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI). | 2025-12-17 | not yet calculated | CVE-2022-23851 | https://www.netaxis.be/products/apio/ https://blog.tig00r.me/post/CVE-2022-23851 |
| Inventory Management Systems–Inventory Management systems | A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2025-12-15 | not yet calculated | CVE-2023-36337 | https://github.com/ThuanNguyen115685/Report/blob/main/XSS.md https://gist.github.com/nguyenkhanhthuan/f345c8ea0551c10ead197680f2ba9c66 |
| Inventory Management Systems–Inventory Management systems | Inventory Management System 1 was discovered to contain a SQL injection vulnerability. | 2025-12-15 | not yet calculated | CVE-2023-36338 | https://github.com/ThuanNguyen115685/Report/blob/main/SQLI.md https://gist.github.com/nguyenkhanhthuan/5294a28bb111f11da4b1f4f1bddf88c8 |
| anirbandutta–NEW-BUZZ | SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script. | 2025-12-15 | not yet calculated | CVE-2023-38913 | https://github.com/ThuanNguyen115685/Report/blob/main/sqlinjection.md https://gist.github.com/nguyenkhanhthuan/03ce706686508b14506d38788c754dfb |
| Coppermine–coppermine-gallery | Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script. | 2025-12-15 | not yet calculated | CVE-2023-53868 | ExploitDB-51738 Coppermine Gallery Archived Product Webpage https://www.vulncheck.com/advisories/coppermine-gallery-remote-code-execution-via-plugin-upload |
| WebIGniter–WebIGniter | WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server. | 2025-12-15 | not yet calculated | CVE-2023-53869 | ExploitDB-51736 Webigniter Product Webpage VulnCheck Advisory: WEBIGniter 28.7.23 Unrestricted File Upload Remote Code Execution |
| Jorani–Jorani | Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information. | 2025-12-15 | not yet calculated | CVE-2023-53870 | ExploitDB-51715 Jorani Product Webpage VulnCheck Advisory: Jorani 1.0.3 Cross-Site Scripting Vulnerability via Language Parameter |
| Soosyze–Soosyze | Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit the broken file upload mechanism to potentially view sensitive file paths and execute malicious PHP scripts on the server. | 2025-12-15 | not yet calculated | CVE-2023-53871 | ExploitDB-51718 soosyze Product Homepage soosyze GitHub Repository VulnCheck Advisory: Soosyze 2.0.0 Unrestricted File Upload via Broken Upload Logic |
| wp2fac–Wp2Fac | Wp2Fac 1.0 contains an OS command injection vulnerability in the send.php endpoint that allows remote attackers to execute arbitrary system commands. Attackers can inject shell commands through the ‘numara’ parameter by appending shell commands with ‘&’ operators to execute malicious code. | 2025-12-15 | not yet calculated | CVE-2023-53872 | ExploitDB-51717 wp2fac GitHub Repository VulnCheck Advisory: Wp2Fac 1.0 OS Command Injection via send.php Endpoint |
| Syncbreeze–SyncBreeze | SyncBreeze 15.2.24 contains a denial of service vulnerability in the login authentication mechanism that allows attackers to crash the service. Attackers can send an oversized password parameter with repeated ‘password=’ values to overwhelm the login endpoint and potentially disrupt service availability. | 2025-12-15 | not yet calculated | CVE-2023-53873 | ExploitDB-51725 SyncBreeze Product Webpage VulnCheck Advisory: SyncBreeze 15.2.24 Denial of Service via Login Endpoint Overflow |
| Gomlab–GOM Player | GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 ‘A’ characters to trigger a buffer overflow and cause application instability. | 2025-12-15 | not yet calculated | CVE-2023-53874 | ExploitDB-51724 GOM Lab Vendor Webpage VulnCheck Advisory: GOM Player 2.3.90.5360 Buffer Overflow via Equalizer Preset Name |
| Gomlab–GOM Player | GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction. | 2025-12-15 | not yet calculated | CVE-2023-53875 | ExploitDB-51719 GOM Lab Vendor Webpage VulnCheck Advisory: GOM Player 2.3.90.5360 Remote Code Execution via Insecure IE Component |
| Creativeitem–Academy LMS | Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code. | 2025-12-15 | not yet calculated | CVE-2023-53876 | ExploitDB-51702 Academy LMS Product Webpage VulnCheck Advisory: Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings |
| Phpjabbers–Bus Reservation System | Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database. | 2025-12-15 | not yet calculated | CVE-2023-53877 | ExploitDB-51712 Product Webpage VulnCheck Advisory: Bus Reservation System 1.1 Multiple SQL Injection via pickup_id Parameter |
| Phpjabbers–Member Login Script | Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length header parsing. Attackers can send crafted POST requests with smuggled secondary requests to potentially bypass server-side request processing controls. | 2025-12-15 | not yet calculated | CVE-2023-53878 | ExploitDB-51710 Product Webpage VulnCheck Advisory: Member Login Script 3.3 Client-Side Request Desynchronization Vulnerability |
| neonguvenlik–NVClient | NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition. | 2025-12-15 | not yet calculated | CVE-2023-53879 | ExploitDB-51700 NVClient Product Documentation VulnCheck Advisory: NVClient 5.0 Stack Buffer Overflow Vulnerability via User Configuration |
| Lucee–Lucee | Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim’s browser sessions. | 2025-12-15 | not yet calculated | CVE-2023-53880 | ExploitDB-51668 Lucee Product Webpage VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces |
| Ruijie–ReyeeOS | ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests. | 2025-12-15 | not yet calculated | CVE-2023-53881 | ExploitDB-51642 Ruijie Networks Vendor Hompage VulnCheck Advisory: ReyeeOS 1.204.1614 Man-in-the-Middle Remote Code Execution via CWMP |
| jlexart–JLex GuestBook | JLex GuestBook 1.6.4 contains a reflected cross-site scripting vulnerability in the ‘q’ URL parameter that allows attackers to inject malicious scripts. Attackers can craft malicious links with XSS payloads to steal session tokens or execute arbitrary JavaScript in victims’ browsers. | 2025-12-15 | not yet calculated | CVE-2023-53882 | ExploitDB-51647 JLexArt Vendor Webpage VulnCheck Advisory: JLex GuestBook 1.6.4 Reflected Cross-Site Scripting via URL Parameter |
| Webedition–Webedition CMS | Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server. | 2025-12-15 | not yet calculated | CVE-2023-53883 | ExploitDB-51661 webEdition Product Webpage VulnCheck Advisory: Webedition CMS v2.9.8.8 Remote Code Execution via PHP Page Creation |
| Webedition–Webedition CMS | Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users. | 2025-12-15 | not yet calculated | CVE-2023-53884 | ExploitDB-51662 webEdition Product Webpage VulnCheck Advisory: Webedition CMS v2.9.8.8 Stored Cross-Site Scripting via SVG Upload |
| Webutler–Webutler | Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file. | 2025-12-15 | not yet calculated | CVE-2023-53885 | ExploitDB-51660 WEButler Product Homepage VulnCheck Advisory: Webutler v3.2 Remote Code Execution via Arbitrary File Upload |
| Xlightftpd–Xlight FTP Server | Xlight FTP Server 3.9.3.6 contains a stack buffer overflow vulnerability in the ‘Execute Program’ configuration that allows attackers to crash the application. Attackers can trigger the vulnerability by inserting 294 characters into the program execution configuration, causing a denial of service condition. | 2025-12-15 | not yet calculated | CVE-2023-53886 | ExploitDB-51665 XLight FTP Server VulnCheck Advisory: Xlight FTP Server 3.9.3.6 Stack Buffer Overflow Vulnerability via Execute Program |
| Zomplog–Zomplog | Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim’s browser. | 2025-12-15 | not yet calculated | CVE-2023-53887 | ExploitDB-51625 Zomplog Archived Product Webpage VulnCheck Advisory: Zomplog 3.9 Cross-Site Scripting Vulnerability via Page Creation |
| Zomplog–Zomplog | Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application. | 2025-12-15 | not yet calculated | CVE-2023-53888 | ExploitDB-51624 Zomplog Archived Product Webpage VulnCheck Advisory: Zomplog 3.9 Remote Code Execution via Authenticated File Manipulation |
| Perch–Perch | Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server. | 2025-12-15 | not yet calculated | CVE-2023-53889 | ExploitDB-51620 Perch Product Webpage VulnCheck Advisory: Perch CMS 3.2 Remote Code Execution via Unrestricted File Upload |
| Perch–Perch | Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks. | 2025-12-15 | not yet calculated | CVE-2023-53890 | ExploitDB-51621 Perch Product Webpage VulnCheck Advisory: Perch CMS 3.2 Stored Cross-Site Scripting via SVG File Upload |
| blackcat-cms–Blackcat CMS | Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page. | 2025-12-15 | not yet calculated | CVE-2023-53891 | ExploitDB-51604 BlackCat CMS Product Webpage VulnCheck Advisory: Blackcat CMS 1.4 Stored Cross-Site Scripting via Page Modification |
| blackcat-cms–Blackcat CMS | Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin’s PHP file with a ‘code’ parameter. | 2025-12-15 | not yet calculated | CVE-2023-53892 | ExploitDB-51605 BlackCat CMS Product Webpage VulnCheck Advisory: Blackcat CMS 1.4 Remote Code Execution via Jquery Plugin Manager |
| Ateme–TITAN | Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the application to make HTTP, DNS, or file requests to arbitrary destinations. | 2025-12-15 | not yet calculated | CVE-2023-53893 | ExploitDB-51582 Zero Science Lab Disclosure (ZSL-2023-5781) Ateme Titan Product Webpage VulnCheck Advisory: Ateme TITAN File 3.9 Authenticated Server-Side Request Forgery Vulnerability |
| python-jose–python-jose | In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | 2025-12-17 | not yet calculated | CVE-2024-29370 | https://github.com/mpdavis/python-jose/issues/344 |
| python-jose–python-jose | In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | 2025-12-17 | not yet calculated | CVE-2024-29371 | https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack |
| FNT–FNT | FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | 2025-12-15 | not yet calculated | CVE-2024-44598 | http://fnt.com https://gist.github.com/ZeroBreach-GmbH/e957dc32e72b366894565b7ff03659a4 |
| FNT–FNT | FNT Command 13.4.0 is vulnerable to Directory Traversal. | 2025-12-15 | not yet calculated | CVE-2024-44599 | http://fnt.com https://gist.github.com/ZeroBreach-GmbH/577755034cb5c0423fbb0bba659b915d |
| Anaconda3–Apple | Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user’s home directory. During installation, world-writable files are created and executed with root privileges. This allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user. | 2025-12-17 | not yet calculated | CVE-2024-46060 | https://m8sec.dev/blog/privilege-escalation-macos-pkg-installers/ https://www.anaconda.com/docs/getting-started/anaconda/release/2024.x#anaconda-2024-06-1 |
| Moniconda3–Apple | Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user’s home directory. During installation, world-writable files are created and executed with root privileges. This flaw allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user. | 2025-12-17 | not yet calculated | CVE-2024-46062 | https://m8sec.dev/blog/privilege-escalation-macos-pkg-installers/ https://www.anaconda.com/docs/getting-started/miniconda/release/23.x#miniconda-23-11-0-1 |
| codepeople–Contact Form Email | Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | 2025-12-18 | not yet calculated | CVE-2025-10019 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-59-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| RTI–Connext Professional | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.*, from 7.2.0 before 7.3.1. | 2025-12-16 | not yet calculated | CVE-2025-10450 | https://www.rti.com/vulnerabilities/#cve-2025-10450 |
| Govee–H6056 | A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: “device”, “sku”, “type”, and a client‑computed “value”, that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 – lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is investigating other potentially affected models. The vendor has deployed server-side security enhancements and automatic firmware updates for model H6056. Most of H6056 devices have been successfully patched through automatic updates. Remaining H6056 users with upgradeable hardware versions must manually update firmware through the Govee Home app while keeping their device WiFi-connected. Users should open the Govee Home app, tap their H6056 device card to enter the device details page, tap the settings icon in the upper right corner, navigate to Device Information section (Firmware Version), and tap the Update button to install the security patch immediately. Govee H6056 devices with hardware versions 1.00.10 or 1.00.11 cannot receive firmware update due to hardware limitations. | 2025-12-18 | not yet calculated | CVE-2025-10910 | https://cert.pl/en/posts/2025/12/CVE-2025-10910/ |
| Unknown–Royal Addons for Elementor | The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action. | 2025-12-15 | not yet calculated | CVE-2025-11363 | https://wpscan.com/vulnerability/b2eadb7a-30a4-44c7-a420-849484faccf4/ |
| ASUS–Armoury Crate | An out-of-bounds read vulnerability has been identified in the asComSvc service. This vulnerability can be triggered by sending specially crafted requests, which may lead to a service crash or partial loss of functionality. This vulnerability only affects ASUS motherboard series products. Refer to the ‘Security Update for Armoury Crate App’ section on the ASUS Security Advisory for more information. | 2025-12-17 | not yet calculated | CVE-2025-11775 | https://www.asus.com/security-advisory |
| ASUS–B460 series | An uncontrolled resource consumption vulnerability affects certain ASUS motherboards using Intel B460, B560, B660, B760, H410, H510, H610, H470, Z590, Z690, Z790, W480, W680 series chipsets. Exploitation requires physical access to internal expansion slots to install a specially crafted device and supporting software utility, and may lead to uncontrolled resource consumption that increases the risk of unauthorized direct memory access (DMA). Refer to the ‘Security Update for UEFI firmware’ section on the ASUS Security Advisory for more information. | 2025-12-17 | not yet calculated | CVE-2025-11901 | https://www.asus.com/security-advisory/ |
| Unknown–URL Shortify | The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins. | 2025-12-15 | not yet calculated | CVE-2025-12684 | https://wpscan.com/vulnerability/8f1e04c6-8781-4366-99d9-9a59102957cf/ |
| Unknown–Pure WC Variation Swatches | The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them. | 2025-12-20 | not yet calculated | CVE-2025-12820 | https://wpscan.com/vulnerability/36ccd54a-265a-44d5-b788-bc14446e3098/ |
| Quest–Coexistence Manager for Notes | Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding (CL.TE) attack vector. This could allow an attacker to bypass access controls, poison web caches, hijack sessions, or trigger unintended internal requests. This issue affects Coexistence Manager for Notes 3.8.2045. Other versions may also be affected. | 2025-12-19 | not yet calculated | CVE-2025-12874 | https://support.quest.com/coexistence-manager-for-notes/3.10 https://sra.io/advisories/ |
| M-Files Corporation–M-Files Server | An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users. | 2025-12-19 | not yet calculated | CVE-2025-13008 | https://product.m-files.com/security-advisories/cve-2025-13008 |
| Unknown–Ocean Modal Window | The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution. | 2025-12-19 | not yet calculated | CVE-2025-13307 | https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-7b74fc3c181b/ |
| Unknown–URL Shortify | The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-15 | not yet calculated | CVE-2025-13355 | https://wpscan.com/vulnerability/8581af77-2d72-48e8-9b22-2c36f122473c/ |
| Google Cloud–Dialogflow CX Messenger | An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents’ knowledge and the ability to trigger their intents, by manipulating initialization parameters or crafting specific API requests. All versions after August 20th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | 2025-12-18 | not yet calculated | CVE-2025-13427 | https://docs.cloud.google.com/dialogflow/docs/release-notes#December_11_2025 |
| Rockwell Automation–Micro820, Micro850, Micro870 | A security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller, clear the fault. | 2025-12-15 | not yet calculated | CVE-2025-13823 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html |
| Rockwell Automation–Micro820, Micro850, Micro870 | A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF019. To recover, clear the fault. | 2025-12-15 | not yet calculated | CVE-2025-13824 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html |
| Linkding–LinkDing | A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin’s browser, retrieves the CSRF token, and sends a request to change the admin’s password resulting in a full account takeover. | 2025-12-17 | not yet calculated | CVE-2025-14202 | https://www.cve.org/cverecord?id=CVE-2025-14202 |
| Ercom–Cryptobox | CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console. | 2025-12-17 | not yet calculated | CVE-2025-14266 | https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2 |
| M-Files Corporation–M-Files Server | Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7 | 2025-12-19 | not yet calculated | CVE-2025-14267 | https://product.m-files.com/security-advisories/cve-2025-14267/ |
| TP-Link Systems Inc.–Tapo C200 V3 | The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-14299 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |
| TP-Link Systems Inc.–Tapo C200 V3 | The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-14300 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |
| Roxnor–PopupKit | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Roxnor PopupKit popup-builder-block allows Blind SQL Injection.This issue affects PopupKit: from n/a through <= 2.1.5. | 2025-12-18 | not yet calculated | CVE-2025-14314 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sql-injection-vulnerability?_s_id=cve |
| M-Files Corporation–M-Files Server | Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled. | 2025-12-18 | not yet calculated | CVE-2025-14318 | https://product.m-files.com/security-advisories/cve-2025-14318/ |
| HP Inc–Poly G7500 | In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI. | 2025-12-16 | not yet calculated | CVE-2025-14432 | https://support.hp.com/us-en/document/ish_13612310-13612332-16/hpsbpy04080 |
| Eclipse OMR–Eclipse OMR | In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation sequence. This can cause the output byte array to be truncated, discarding the first NUL byte and all subsequent characters, and thereby exposing a possible buffer over-read problem. This issue is fixed in Eclipse OMR version 0.8.0. | 2025-12-15 | not yet calculated | CVE-2025-14549 | https://github.com/eclipse-omr/omr/pull/8073 |
| TP-Link Systems Inc.–Tapo C210 | Exposure of password hashes through an unauthenticated API response in TP-Link Tapo C210 V.1.8 app on iOS and Android, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | 2025-12-16 | not yet calculated | CVE-2025-14553 | https://apps.apple.com/us/app/tp-link-tapo/id1472718009 https://play.google.com/store/apps/details?id=com.tplink.iot https://www.tp-link.com/us/support/faq/4840/ |
| Perforce–Delphix Continuous Compliance | In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | 2025-12-20 | not yet calculated | CVE-2025-14591 | https://portal.perforce.com/s/article/TB137 https://portal.perforce.com/s/cve/a91Qi000002fThdIAE/pii-leak-due-to-change-in-eor-handling |
| The Document Foundation–LibreOffice | An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker’s scripts run with the application’s TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4. | 2025-12-15 | not yet calculated | CVE-2025-14714 | https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714 |
| WatchGuard–Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3. | 2025-12-19 | not yet calculated | CVE-2025-14733 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027 |
| TP-Link Systems Inc.–WA850RE | Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. | 2025-12-18 | not yet calculated | CVE-2025-14737 | https://www.tp-link.com/us/support/download/tl-wa850re/v2/#Firmware https://www.tp-link.com/us/support/download/tl-wa850re/v3/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-remote-command-injection-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| TP-Link Systems Inc.–WA850RE | Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. | 2025-12-18 | not yet calculated | CVE-2025-14738 | https://www.tp-link.com/us/support/download/tl-wa850re/v2/#Firmware https://www.tp-link.com/us/support/download/tl-wa850re/v3/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-unauthenticated-configuration-disclosure-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| TP-Link Systems Inc.–WR940N and WR941ND | Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316, ≤ WR941ND v6 3.16.9 Build 151203. | 2025-12-18 | not yet calculated | CVE-2025-14739 | https://www.tp-link.com/us/support/download/tl-wr941nd/#Firmware https://www.tp-link.com/us/support/download/tl-wr940n/v5/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wr940n-wr941nd-uninitialized-pointer-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| Mozilla–Firefox for iOS | Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0. | 2025-12-18 | not yet calculated | CVE-2025-14744 | https://bugzilla.mozilla.org/show_bug.cgi?id=1984683 https://www.mozilla.org/security/advisories/mfsa2025-97/ |
| Google–Chrome | Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2025-12-16 | not yet calculated | CVE-2025-14765 | https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html https://issues.chromium.org/issues/448294721 |
| Google–Chrome | Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2025-12-16 | not yet calculated | CVE-2025-14766 | https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html https://issues.chromium.org/issues/466786677 |
| TECNO–Tecno Pova6 Pro 5G | The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction. | 2025-12-17 | not yet calculated | CVE-2025-14817 | https://security.tecno.com/SRC/securityUpdates https://security.tecno.com/SRC/blogdetail/434?lang=en_US |
| Mozilla–Firefox | Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 146.0.1. | 2025-12-18 | not yet calculated | CVE-2025-14860 | https://bugzilla.mozilla.org/show_bug.cgi?id=2000597 https://www.mozilla.org/security/advisories/mfsa2025-98/ |
| Mozilla–Firefox | Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1. | 2025-12-18 | not yet calculated | CVE-2025-14861 | Memory safety bugs fixed in Firefox 146.0.1 https://www.mozilla.org/security/advisories/mfsa2025-98/ |
| pretix–pretix | Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | 2025-12-19 | not yet calculated | CVE-2025-14881 | https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ |
| pretix–pretix-offlinesales | An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | 2025-12-19 | not yet calculated | CVE-2025-14882 | https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ |
| Johnson Controls–OpenBlue Workplace (formerly FM Systems) | Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | 2025-12-17 | not yet calculated | CVE-2025-26381 | https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03 https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs |
| Linksys-Linksys | A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters. | 2025-12-16 | not yet calculated | CVE-2025-29231 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/XSS_wan_name/XSS_wan_name.md https://github.com/Suryaandave/CVES/tree/main/CVE-2025-29231 |
| NetSupport Software–Manager | NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure. | 2025-12-15 | not yet calculated | CVE-2025-34179 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-unauthenticated-sqli-local-file-disclosure https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| NetSupport Software–Manager | NetSupport Manager < 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding scheme. An attacker who obtains access to a deployed client configuration file can decode the stored value to recover the plaintext Gateway Key. Possession of the Gateway Key allows unauthorized access to NetSupport Manager connectivity services and enables remote control of systems managed through the same key. | 2025-12-15 | not yet calculated | CVE-2025-34180 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-gateway-key-reversible-encoding-credential-recovery https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| NetSupport Software–Manager | NetSupport Manager < 14.12.0001 contains an arbitrary file write vulnerability in its Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This can be leveraged to place attacker-controlled DLLs or executables in privileged paths and achieve remote code execution in the context of the NetSupport Manager connectivity service. | 2025-12-15 | not yet calculated | CVE-2025-34181 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-authenticated-path-traversal-arbitrary-write-rce https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| Nagios Enterprises–Nagios XI | Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user. | 2025-12-16 | not yet calculated | CVE-2025-34288 | https://www.nagios.com/changelog/nagios-xi/2026r1-1/ https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo |
| Versa Networks–SASE Client for Windows | Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\Config.msi and subsequently achieve execution as NT AUTHORITY\SYSTEM via MSI rollback techniques. | 2025-12-20 | not yet calculated | CVE-2025-34290 | https://security-portal.versa-networks.com/emailbulletins/69421e33d03aafc8e5bdaf21 https://www.vulncheck.com/advisories/versa-sase-client-for-windows-arbitrary-file-deletion-leading-to-lpe |
| EQS Group GmbH–Convercent Whistleblowing Platform | The Convercent Whistleblowing Platform operated by EQS Group exposes an unauthenticated API endpoint at /GetLegalEntity that returns internal customer legal-entity names based on a supplied searchText fragment. A remote unauthenticated attacker can query the endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure. | 2025-12-15 | not yet calculated | CVE-2025-34411 | https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-unauthenticated-getlegalentity-endpoing-enables-customer-enumeration |
| EQS Group GmbH–Convercent Whistleblowing Platform | The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage. | 2025-12-15 | not yet calculated | CVE-2025-34412 | https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls |
| World Wide Broadcast Network–AVideo | AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user. | 2025-12-19 | not yet calculated | CVE-2025-34433 | https://github.com/WWBN/AVideo/commit/4a53ab2 https://github.com/WWBN/AVideo/commit/a2bdbff https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video. | 2025-12-17 | not yet calculated | CVE-2025-34434 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c279999cbd https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video. | 2025-12-17 | not yet calculated | CVE-2025-34435 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/275a54268b https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-deletion https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks. | 2025-12-17 | not yet calculated | CVE-2025-34436 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c279999cbd https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-upload https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects. | 2025-12-17 | not yet calculated | CVE-2025-34437 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/d411f91805 https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video. | 2025-12-17 | not yet calculated | CVE-2025-34438 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c2feaf25cb https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks. | 2025-12-17 | not yet calculated | CVE-2025-34439 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/88bc40427b https://www.vulncheck.com/advisories/avideo-open-redirect-via-canceluri-parameter https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks. | 2025-12-17 | not yet calculated | CVE-2025-34440 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/77c70019b0 https://www.vulncheck.com/advisories/avideo-open-redirect-via-siteredirecturi-parameter https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations. | 2025-12-17 | not yet calculated | CVE-2025-34441 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/1416c517e2 https://www.vulncheck.com/advisories/avideo-user-information-disclosure-via-public-api https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network–AVideo | AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains. | 2025-12-17 | not yet calculated | CVE-2025-34442 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/dbe3e91c54 https://www.vulncheck.com/advisories/avideo-system-path-disclosure-via-public-api https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| Genymobile–scrcpy | Genymobile/scrcpy versions up to and including 3.3.3 and prior to commit 3e40b24 contain a global buffer overflow vulnerability in the function sc_read32be, invoked via sc_device_msg_deserialize() and process_msgs(). Processing crafted device messages can cause reads beyond the bounds of a global buffer, leading to memory corruption or crashes. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34449 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-003-scrcpy-global-buffer-overflow.md https://github.com/Genymobile/scrcpy/issues/6415 https://github.com/Genymobile/scrcpy/commit/3e40b24 https://www.vulncheck.com/advisories/genymobile-scrcpy-global-buffer-overflow |
| merbanan–rtl_433 | merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34450 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-004-rtl_433-rfraw-parse-overflow.md https://github.com/merbanan/rtl_433/issues/3375 https://github.com/dd32/rtl_433/commit/25e47f8 https://www.vulncheck.com/advisories/merbanan-rtl-433-stack-based-buffer-overflow |
| rofl0r–proxychains-ng | rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. When parsing crafted proxy configuration entries containing overly long username or password fields, the application may write beyond the bounds of fixed-size stack buffers, leading to memory corruption or crashes. This vulnerability may allow denial of service and, under certain conditions, could be leveraged for further exploitation depending on the execution environment and applied mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34451 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-008-proxychains-ng-stack-buffer-overflow-proxy_from_string.md https://github.com/rofl0r/proxychains-ng/issues/606 https://github.com/httpsgithu/proxychains-ng/commit/cc005b7 https://www.vulncheck.com/advisories/rofl0r-proxychains-ng-stack-based-buffer-overflow |
| Streama–Streama | Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution. | 2025-12-18 | not yet calculated | CVE-2025-34452 | https://github.com/streamaserver/streama/commit/b7c8767 https://chocapikk.com/posts/2025/streama-path-traversal-ssrf/ https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: “The error code within @ptr if it is an error pointer; 0 otherwise.” This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). | 2025-12-16 | not yet calculated | CVE-2025-40346 | https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37 https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68 https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235 https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2 https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix the deadlock of enetc_mdio_lock After applying the workaround for err050089, the LS1028A platform experiences RCU stalls on RT kernel. This issue is caused by the recursive acquisition of the read lock enetc_mdio_lock. Here list some of the call stacks identified under the enetc_poll path that may lead to a deadlock: enetc_poll -> enetc_lock_mdio -> enetc_clean_rx_ring OR napi_complete_done -> napi_gro_receive -> enetc_start_xmit -> enetc_lock_mdio -> enetc_map_tx_buffs -> enetc_unlock_mdio -> enetc_unlock_mdio After enetc_poll acquires the read lock, a higher-priority writer attempts to acquire the lock, causing preemption. The writer detects that a read lock is already held and is scheduled out. However, readers under enetc_poll cannot acquire the read lock again because a writer is already waiting, leading to a thread hang. Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent recursive lock acquisition. | 2025-12-16 | not yet calculated | CVE-2025-40347 | https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5 https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts If two competing threads enter alloc_slab_obj_exts() and one of them fails to allocate the object extension vector, it might override the valid slab->obj_exts allocated by the other thread with OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and expects a valid pointer to dereference a NULL pointer later on. Update slab->obj_exts atomically using cmpxchg() to avoid slab->obj_exts overrides by racing threads. Thanks for Vlastimil and Suren’s help with debugging. | 2025-12-16 | not yet calculated | CVE-2025-40348 | https://git.kernel.org/stable/c/c7af5300d78460fc5037ddc77113ba3dbfe77dc0 https://git.kernel.org/stable/c/7c34feda6a9a203c9744281f1b6671b7dad2012d https://git.kernel.org/stable/c/6ed8bfd24ce1cb31742b09a3eb557cd008533eec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplus_bmap_alloc hfsplus_bmap_alloc can trigger a crash if a record offset or length is larger than node_size [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.266167] Call Trace: [ 15.266168] <TASK> [ 15.266169] dump_stack_lvl+0x53/0x70 [ 15.266173] print_report+0xd0/0x660 [ 15.266181] kasan_report+0xce/0x100 [ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 [ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 [ 15.266217] hfsplus_brec_insert+0x870/0xb00 [ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 [ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 [ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 [ 15.266233] hfsplus_file_extend+0x5a7/0x1000 [ 15.266237] hfsplus_get_block+0x12b/0x8c0 [ 15.266238] __block_write_begin_int+0x36b/0x12c0 [ 15.266251] block_write_begin+0x77/0x110 [ 15.266252] cont_write_begin+0x428/0x720 [ 15.266259] hfsplus_write_begin+0x51/0x100 [ 15.266262] cont_write_begin+0x272/0x720 [ 15.266270] hfsplus_write_begin+0x51/0x100 [ 15.266274] generic_perform_write+0x321/0x750 [ 15.266285] generic_file_write_iter+0xc3/0x310 [ 15.266289] __kernel_write_iter+0x2fd/0x800 [ 15.266296] dump_user_range+0x2ea/0x910 [ 15.266301] elf_core_dump+0x2a94/0x2ed0 [ 15.266320] vfs_coredump+0x1d85/0x45e0 [ 15.266349] get_signal+0x12e3/0x1990 [ 15.266357] arch_do_signal_or_restart+0x89/0x580 [ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 [ 15.266364] asm_exc_page_fault+0x26/0x30 [ 15.266366] RIP: 0033:0x41bd35 [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 [ 15.266376] </TASK> When calling hfsplus_bmap_alloc to allocate a free node, this function first retrieves the bitmap from header node and map node using node->page together with the offset and length from hfs_brec_lenoff “` len = hfs_brec_lenoff(node, 2, &off16); off = off16; off += node->page_offset; pagep = node->page + (off >> PAGE_SHIFT); data = kmap_local_page(*pagep); “` However, if the retrieved offset or length is invalid(i.e. exceeds node_size), the code may end up accessing pages outside the allocated range for this node. This patch adds proper validation of both offset and length before use, preventing out-of-bounds page access. Move is_bnode_offset_valid and check_and_correct_requested_length to hfsplus_fs.h, as they may be required by other functions. | 2025-12-16 | not yet calculated | CVE-2025-40349 | https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c https://git.kernel.org/stable/c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b https://git.kernel.org/stable/c/418e48cab99c52c1760636a4dbe464bf6db2018b https://git.kernel.org/stable/c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf https://git.kernel.org/stable/c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227 https://git.kernel.org/stable/c/17ed51cfce6c62cffb97059ef392ad2e0245806e https://git.kernel.org/stable/c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f https://git.kernel.org/stable/c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ XDP programs can change the layout of an xdp_buff through bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver cannot assume the size of the linear data area nor fragments. Fix the bug in mlx5 by generating skb according to xdp_buff after XDP programs run. Currently, when handling multi-buf XDP, the mlx5 driver assumes the layout of an xdp_buff to be unchanged. That is, the linear data area continues to be empty and fragments remain the same. This may cause the driver to generate erroneous skb or triggering a kernel warning. When an XDP program added linear data through bpf_xdp_adjust_head(), the linear data will be ignored as mlx5e_build_linear_skb() builds an skb without linear data and then pull data from fragments to fill the linear data area. When an XDP program has shrunk the non-linear data through bpf_xdp_adjust_tail(), the delta passed to __pskb_pull_tail() may exceed the actual nonlinear data size and trigger the BUG_ON in it. To fix the issue, first record the original number of fragments. If the number of fragments changes after the XDP program runs, rewind the end fragment pointer by the difference and recalculate the truesize. Then, build the skb with the linear data area matching the xdp_buff. Finally, only pull data in if there is non-linear data and fill the linear part up to 256 bytes. | 2025-12-16 | not yet calculated | CVE-2025-40350 | https://git.kernel.org/stable/c/8b051d7f530e8a5237da242fbeafef02fec6b813 https://git.kernel.org/stable/c/cb9edd583e23979ee546981be963ad5f217e8b18 https://git.kernel.org/stable/c/f2557d7fa38e9475b38588f5c124476091480f53 https://git.kernel.org/stable/c/87bcef158ac1faca1bd7e0104588e8e2956d10be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() The syzbot reported issue in hfsplus_delete_cat(): [ 70.682285][ T9333] ===================================================== [ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 [ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 [ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 [ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 [ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 [ 70.685447][ T9333] do_rmdir+0x964/0xea0 [ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 [ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 [ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.687646][ T9333] [ 70.687856][ T9333] Uninit was stored to memory at: [ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 [ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 [ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 [ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 [ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 [ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 [ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.692773][ T9333] [ 70.692990][ T9333] Uninit was stored to memory at: [ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 [ 70.694911][ T9333] mount_bdev+0x37b/0x530 [ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 [ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.696588][ T9333] do_new_mount+0x73e/0x1630 [ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 [ 70.697425][ T9333] __se_sys_mount+0x733/0x830 [ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.699730][ T9333] [ 70.699946][ T9333] Uninit was created at: [ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 [ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 [ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 [ 70.701774][ T9333] allocate_slab+0x30e/0x1390 [ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 [ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 [ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 [ 70.703598][ T9333] alloc_inode+0x82/0x490 [ 70.703984][ T9333] iget_locked+0x22e/0x1320 [ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 [ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 [ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 [ 70.705776][ T9333] mount_bdev+0x37b/0x530 [ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 [ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.707444][ T9333] do_new_mount+0x73e/0x1630 [ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 [ 70.708270][ T9333] __se_sys_mount+0x733/0x830 [ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.710611][ T9333] [ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 [ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.712490][ T9333] ===================================================== [ 70.713085][ T9333] Disabling lock debugging due to kernel taint [ 70.713618][ T9333] Kernel panic – not syncing: kmsan.panic set … [ 70.714159][ T9333] —truncated— | 2025-12-16 | not yet calculated | CVE-2025-40351 | https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885 https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4 https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041 https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9 https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05 https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init The lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting the following warning when the BlueField-3 SOC is booted: BUG: key ffff00008a3402a8 has not been registered! ————[ cut here ]———— DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0 <snip> Call trace: lockdep_init_map_type+0x1d4/0x2a0 __kernfs_create_file+0x84/0x140 sysfs_add_file_mode_ns+0xcc/0x1cc internal_create_group+0x110/0x3d4 internal_create_groups.part.0+0x54/0xcc sysfs_create_groups+0x24/0x40 device_add+0x6e8/0x93c device_register+0x28/0x40 __hwmon_device_register+0x4b0/0x8a0 devm_hwmon_device_register_with_groups+0x7c/0xe0 mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc] platform_probe+0x70/0x110 The mlxbf_pmc driver must call sysfs_attr_init() during the initialization of the “count_clock” data structure to avoid this warning. | 2025-12-16 | not yet calculated | CVE-2025-40352 | https://git.kernel.org/stable/c/46be1f5aae82b4136f676528ff091629697c7719 https://git.kernel.org/stable/c/a7b4747d8e0e7871c3d4971cded1dcc9af6af9e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Do not warn if the page is already tagged in copy_highpage() The arm64 copy_highpage() assumes that the destination page is newly allocated and not MTE-tagged (PG_mte_tagged unset) and warns accordingly. However, following commit 060913999d7a (“mm: migrate: support poisoned recover from migrate folio”), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the copy will be done again to the same destination page. Since copy_highpage() already set the PG_mte_tagged flag, this second copy will warn. Replace the WARN_ON_ONCE(page already tagged) in the arm64 copy_highpage() with a comment. | 2025-12-16 | not yet calculated | CVE-2025-40353 | https://git.kernel.org/stable/c/5ff5765a1fc526f07d3bbaedb061d970eb13bcf4 https://git.kernel.org/stable/c/0bbf3fc6e9211fce9889fe8efbb89c220504d617 https://git.kernel.org/stable/c/b98c94eed4a975e0c80b7e90a649a46967376f58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: increase max link count and fix link->enc NULL pointer access [why] 1.) dc->links[MAX_LINKS] array size smaller than actual requested. max_connector + max_dpia + 4 virtual = 14. increase from 12 to 14. 2.) hw_init() access null LINK_ENC for dpia non display_endpoint. (cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45) | 2025-12-16 | not yet calculated | CVE-2025-40354 | https://git.kernel.org/stable/c/f28092be4e12b7df9e4f415d25bf0d767bc2d9ed https://git.kernel.org/stable/c/a3fc0d36cfb927f8986b83bf5fba47dbedad3c63 https://git.kernel.org/stable/c/bec947cbe9a65783adb475a5fb47980d7b4f4796 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sysfs: check visibility before changing group attribute ownership Since commit 0c17270f9b92 (“net: sysfs: Implement is_visible for phys_(port_id, port_name, switch_id)”), __dev_change_net_namespace() can hit WARN_ON() when trying to change owner of a file that isn’t visible. See the trace below: WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30 CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025 RIP: 0010:__dev_change_net_namespace+0xb89/0xc30 […] Call Trace: <TASK> ? if6_seq_show+0x30/0x50 do_setlink.isra.0+0xc7/0x1270 ? __nla_validate_parse+0x5c/0xcc0 ? security_capable+0x94/0x1a0 rtnl_newlink+0x858/0xc20 ? update_curr+0x8e/0x1c0 ? update_entity_lag+0x71/0x80 ? sched_balance_newidle+0x358/0x450 ? psi_task_switch+0x113/0x2a0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x346/0x3e0 ? sched_clock+0x10/0x30 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? __sys_bind+0xe3/0x110 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? sock_alloc_file+0x63/0xc0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? alloc_fd+0x12e/0x190 ? put_unused_fd+0x2a/0x70 ? do_sys_openat2+0xa2/0xe0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e […] </TASK> Fix this by checking is_visible() before trying to touch the attribute. | 2025-12-16 | not yet calculated | CVE-2025-40355 | https://git.kernel.org/stable/c/ac2c526e103285d80a0330b91a318f6c9276d35a https://git.kernel.org/stable/c/c7fbb8218b4ad35fec0bd2256d2b9c8d60331f33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix DMA-API usage Use DMA-API dma_map_single() call for getting the DMA address of the transfer buffer instead of hacking with virt_to_phys(). This fixes the following DMA-API debug warning: ————[ cut here ]———— DMA-API: rockchip-sfc fe300000.spi: device driver tries to sync DMA memory it has not allocated [device address=0x000000000cf70000] [size=288 bytes] WARNING: kernel/dma/debug.c:1106 at check_sync+0x1d8/0x690, CPU#2: systemd-udevd/151 Modules linked in: … Hardware name: Hardkernel ODROID-M1 (DT) pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : check_sync+0x1d8/0x690 lr : check_sync+0x1d8/0x690 .. Call trace: check_sync+0x1d8/0x690 (P) debug_dma_sync_single_for_cpu+0x84/0x8c __dma_sync_single_for_cpu+0x88/0x234 rockchip_sfc_exec_mem_op+0x4a0/0x798 [spi_rockchip_sfc] spi_mem_exec_op+0x408/0x498 spi_nor_read_data+0x170/0x184 spi_nor_read_sfdp+0x74/0xe4 spi_nor_parse_sfdp+0x120/0x11f0 spi_nor_sfdp_init_params_deprecated+0x3c/0x8c spi_nor_scan+0x690/0xf88 spi_nor_probe+0xe4/0x304 spi_mem_probe+0x6c/0xa8 spi_probe+0x94/0xd4 really_probe+0xbc/0x298 … | 2025-12-16 | not yet calculated | CVE-2025-40356 | https://git.kernel.org/stable/c/22810d4cb0e8a7d51b24527e73beac60afc1c693 https://git.kernel.org/stable/c/ee795e82e10197c070efd380dc9615c73dffad6c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix general protection fault in __smc_diag_dump The syzbot report a crash: Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace: <TASK> smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The process like this: (CPU1) | (CPU2) ———————————|——————————- inet_create() | // init clcsock to NULL | sk = sk_alloc() | | // unexpectedly change clcsock | inet_init_csk_locks() | | // add sk to hash table | smc_inet_init_sock() | smc_sk_init() | smc_hash_sk() | | // traverse the hash table | smc_diag_dump_proto | __smc_diag_dump() | // visit wrong clcsock | smc_diag_msg_common_fill() // alloc clcsock | smc_create_clcsk | sock_create_kern | With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it. After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 (“net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC”) to avoid casting smc_sock to inet_connection_sock. | 2025-12-16 | not yet calculated | CVE-2025-40357 | https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2 https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3 https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report “BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460” There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (“x86/unwind: Disable KASAN checks for non-current tasks”) The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues] | 2025-12-16 | not yet calculated | CVE-2025-40358 | https://git.kernel.org/stable/c/f34ba22989da61186f30a40b6a82e0b3337b96fc https://git.kernel.org/stable/c/27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2 https://git.kernel.org/stable/c/2c8d2b53866fb229b438296526ef0fa5a990e5e5 https://git.kernel.org/stable/c/060ea84a484e852b52b938f234bf9b5503a6c910 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running “perf mem record” command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn’t exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue. | 2025-12-16 | not yet calculated | CVE-2025-40359 | https://git.kernel.org/stable/c/1b61a1da3d8105ea1be548c94c2856697eb7ffd1 https://git.kernel.org/stable/c/710a72e81a7028e1ad1a10eb14f941f8dd45ffd3 https://git.kernel.org/stable/c/0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: – fix typo in commit description (Javier) | 2025-12-16 | not yet calculated | CVE-2025-40360 | https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152 https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5 https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16 https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77 https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232 https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock The parent function ext4_xattr_inode_lookup_create already uses GFP_NOFS for memory alloction, so the function ext4_xattr_inode_cache_find should use same gfp_flag. | 2025-12-16 | not yet calculated | CVE-2025-40361 | https://git.kernel.org/stable/c/5e6b27f4e68682aa3db9f83ca04adef89903159b https://git.kernel.org/stable/c/bb7d0d13c6e1f061464d1c425b08348a4e0c235d https://git.kernel.org/stable/c/add8458cac0b33a5e7a6b98457b38baea9600859 https://git.kernel.org/stable/c/199ab7b43c5ef7d384f6a08e786e107b3509acda https://git.kernel.org/stable/c/238f7a7356c33a9797a6297c6fdfd87f113b2325 https://git.kernel.org/stable/c/009127b0fc013aed193961686c28c2b541a5b2f3 https://git.kernel.org/stable/c/1534f72dc2a11ded38b0e0268fbcc0ca24e9fd4a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say ‘fsname1’ and ‘fsname2’ 2. Authorize read only permission to the user ‘client.usr’ on fs ‘fsname1’ $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user ‘client.usr’ on fs ‘fsname2’ $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user ‘client.usr’, following is the expectation. a. The ‘client.usr’ should be able to only read the contents and not allowed to create or delete files on file system ‘fsname1’. b. The ‘client.usr’ should be able to read/write on file system ‘fsname2’. But, with this bug, the ‘client.usr’ is allowed to read/write on file system ‘fsname1’. See below. 5. Mount the file system ‘fsname1’ with the user ‘client.usr’ $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system ‘fsname1’ with user ‘client.usr’. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system ‘fsname1’ with the user ‘client.admin’ and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo “data” > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system ‘fsname1’ with the user ‘client.usr’. This shoudn’t succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don’t store fsname from mdsmap, validate against ceph_mount_options’s fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: “fsname check failed” -> “fsname mismatch” ] | 2025-12-16 | not yet calculated | CVE-2025-40362 | https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932 https://git.kernel.org/stable/c/ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523 https://git.kernel.org/stable/c/22c73d52a6d05c5a2053385c0d6cd9984732799d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field “&top_iph->saddr” at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication. | 2025-12-16 | not yet calculated | CVE-2025-40363 | https://git.kernel.org/stable/c/2da805a61ef5272a2773775ce14c3650adb84248 https://git.kernel.org/stable/c/9bf27de51bd6db5ff827780ec0eba55de230ba45 https://git.kernel.org/stable/c/0bf756ae1e69fec5e6332c37830488315d6d771b https://git.kernel.org/stable/c/75b16b2755e12999ad850756ddfb88ad4bfc7186 https://git.kernel.org/stable/c/f28dde240160f3c48a50d641d210ed6a3b9596ed https://git.kernel.org/stable/c/c14cf41094136691c92ef756872570645d61f4a1 https://git.kernel.org/stable/c/b056f971bd72b373b7ae2025a8f3bd18f69653d3 https://git.kernel.org/stable/c/2327a3d6f65ce2fe2634546dde4a25ef52296fec |
| SonicWall–SMA1000 | A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). | 2025-12-18 | not yet calculated | CVE-2025-40602 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 |
| Apple–iOS and iPadOS | A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication. | 2025-12-17 | not yet calculated | CVE-2025-43428 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.2 and iPadOS 26.2. An app may be able to access user-sensitive data. | 2025-12-17 | not yet calculated | CVE-2025-43475 | https://support.apple.com/en-us/125884 |
| Apple–iOS and iPadOS | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43501 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple–macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data. | 2025-12-17 | not yet calculated | CVE-2025-43514 | https://support.apple.com/en-us/125886 |
| Apple–Safari | This issue was addressed with improved URL validation. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted. | 2025-12-17 | not yet calculated | CVE-2025-43526 | https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. | 2025-12-17 | not yet calculated | CVE-2025-43529 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–iOS and iPadOS | A race condition was addressed with improved state handling. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43531 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–tvOS | Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43533 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–iOS and iPadOS | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43535 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43536 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-12-17 | not yet calculated | CVE-2025-43541 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Johnson Control–iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 | Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device. | 2025-12-17 | not yet calculated | CVE-2025-43873 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-02 |
| Apple–iOS and iPadOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2. An app may be able to access a user’s Safari history. | 2025-12-17 | not yet calculated | CVE-2025-46277 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data. | 2025-12-17 | not yet calculated | CVE-2025-46278 | https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. An app may be able to identify what other apps a user has installed. | 2025-12-17 | not yet calculated | CVE-2025-46279 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2. An app may be able to break out of its sandbox. | 2025-12-17 | not yet calculated | CVE-2025-46281 | https://support.apple.com/en-us/125886 |
| Apple–Safari | The issue was addressed with additional permissions checks. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. An app may be able to access sensitive user data. | 2025-12-17 | not yet calculated | CVE-2025-46282 | https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125886 |
| Apple–macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.2. An app may be able to access sensitive user data. | 2025-12-17 | not yet calculated | CVE-2025-46283 | https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2, macOS Tahoe 26.2. An app may be able to access sensitive payment tokens. | 2025-12-17 | not yet calculated | CVE-2025-46288 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple–macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.2. An app may bypass Gatekeeper checks. | 2025-12-17 | not yet calculated | CVE-2025-46291 | https://support.apple.com/en-us/125886 |
| Apple–iOS and iPadOS | This issue was addressed with additional entitlement checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3. An app may be able to access user-sensitive data. | 2025-12-17 | not yet calculated | CVE-2025-46292 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125884 |
| Claris–FileMaker Server | To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration by setting NtfsDisable8dot3NameCreation in the Windows registry. This prevents attackers from using the tilde character to discover hidden files and directories. This vulnerability has been fully addressed in FileMaker Server 22.0.4. The IIS Shortname Vulnerability exploits how Microsoft IIS handles legacy 8.3 short filenames, allowing attackers to infer the existence of files or directories by crafting requests with the tilde (~) character. | 2025-12-16 | not yet calculated | CVE-2025-46294 | https://support.claris.com/s/answerview?anum=000048450&language=en_US |
| Claris–FileMaker Server | Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4. | 2025-12-16 | not yet calculated | CVE-2025-46295 | https://support.claris.com/s/answerview?anum=000049059&language=en_US |
| Claris–FileMaker Server | An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles with minimal privileges to access administrative features such as viewing license details and downloading application logs. This vulnerability has been fully addressed in FileMaker Server 22.0.4. | 2025-12-16 | not yet calculated | CVE-2025-46296 | https://support.claris.com/s/answerview?anum=000049056&language=en_US |
| The African Boss–Get Cash | Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3. | 2025-12-18 | not yet calculated | CVE-2025-49041 | https://vdp.patchstack.com/database/Wordpress/Plugin/get-cash/vulnerability/wordpress-get-cash-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve |
| shinetheme–Traveler Option Tree | Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8. | 2025-12-16 | not yet calculated | CVE-2025-49300 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-option-tree/vulnerability/wordpress-traveler-option-tree-plugin-2-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| AncoraThemes–ShieldGroup | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13. | 2025-12-18 | not yet calculated | CVE-2025-49359 | https://vdp.patchstack.com/database/Wordpress/Theme/shieldgroup/vulnerability/wordpress-shieldgroup-theme-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Militarology | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15. | 2025-12-18 | not yet calculated | CVE-2025-49360 | https://vdp.patchstack.com/database/Wordpress/Theme/militarology/vulnerability/wordpress-militarology-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Mamita | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion.This issue affects Mamita: from n/a through <= 1.0.9. | 2025-12-18 | not yet calculated | CVE-2025-49361 | https://vdp.patchstack.com/database/Wordpress/Theme/mamita/vulnerability/wordpress-mamita-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Gracioza | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15. | 2025-12-18 | not yet calculated | CVE-2025-49362 | https://vdp.patchstack.com/database/Wordpress/Theme/gracioza/vulnerability/wordpress-gracioza-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Kings & Queens | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16. | 2025-12-18 | not yet calculated | CVE-2025-49363 | https://vdp.patchstack.com/database/Wordpress/Theme/kings-queens/vulnerability/wordpress-kings-queens-theme-1-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Ludos Paradise | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion.This issue affects Ludos Paradise: from n/a through <= 2.1.3. | 2025-12-18 | not yet calculated | CVE-2025-49364 | https://vdp.patchstack.com/database/Wordpress/Theme/ludos-paradise/vulnerability/wordpress-ludos-paradise-theme-2-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Jack Well | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion.This issue affects Jack Well: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-49365 | https://vdp.patchstack.com/database/Wordpress/Theme/jack-well/vulnerability/wordpress-jack-well-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Hanani | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Hanani hanani allows PHP Local File Inclusion.This issue affects Hanani: from n/a through <= 1.2.11. | 2025-12-18 | not yet calculated | CVE-2025-49366 | https://vdp.patchstack.com/database/Wordpress/Theme/hanani/vulnerability/wordpress-hanani-theme-1-2-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Monyxi | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Monyxi monyxi allows PHP Local File Inclusion.This issue affects Monyxi: from n/a through <= 1.1.8. | 2025-12-18 | not yet calculated | CVE-2025-49367 | https://vdp.patchstack.com/database/Wordpress/Theme/monyxi/vulnerability/wordpress-monyxi-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Palladio | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion.This issue affects Palladio: from n/a through <= 1.1.10. | 2025-12-18 | not yet calculated | CVE-2025-49368 | https://vdp.patchstack.com/database/Wordpress/Theme/palladio/vulnerability/wordpress-palladio-theme-1-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Lettuce | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Lettuce lettuce allows PHP Local File Inclusion.This issue affects Lettuce: from n/a through <= 1.1.7. | 2025-12-18 | not yet calculated | CVE-2025-49369 | https://vdp.patchstack.com/database/Wordpress/Theme/lettuce/vulnerability/wordpress-lettuce-theme-1-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Lymcoin | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Lymcoin lymcoin allows PHP Local File Inclusion.This issue affects Lymcoin: from n/a through <= 1.3.12. | 2025-12-18 | not yet calculated | CVE-2025-49370 | https://vdp.patchstack.com/database/Wordpress/Theme/lymcoin/vulnerability/wordpress-lymcoin-theme-1-3-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Strux | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Strux strux allows PHP Local File Inclusion.This issue affects Strux: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-49371 | https://vdp.patchstack.com/database/Wordpress/Theme/strux/vulnerability/wordpress-strux-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| silverplugins217–Custom Fields Account Registration For Woocommerce | Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through <= 1.2. | 2025-12-18 | not yet calculated | CVE-2025-49379 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-fields-account-registration-for-woocommerce/vulnerability/wordpress-custom-fields-account-registration-for-woocommerce-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve |
| A WP Life–Login Page Customizer – Customizer Login Page, Admin Page, Custom Design | Missing Authorization vulnerability in A WP Life Login Page Customizer – Customizer Login Page, Admin Page, Custom Design customizer-login-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Page Customizer – Customizer Login Page, Admin Page, Custom Design: from n/a through <= 2.1.1. | 2025-12-18 | not yet calculated | CVE-2025-49902 | https://vdp.patchstack.com/database/Wordpress/Plugin/customizer-login-page/vulnerability/wordpress-login-page-customizer-customizer-login-page-admin-page-custom-design-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| jetmonsters–Restaurant Menu by MotoPress | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.7. | 2025-12-18 | not yet calculated | CVE-2025-49914 | https://vdp.patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| e4jvikwp–VikBooking Hotel Booking Engine & PMS | Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2. | 2025-12-18 | not yet calculated | CVE-2025-49918 | https://vdp.patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| WPCenter–eRoom | Insertion of Sensitive Information Into Sent Data vulnerability in WPCenter eRoom eroom-zoom-meetings-webinar allows Retrieve Embedded Sensitive Data.This issue affects eRoom: from n/a through <= 1.5.6. | 2025-12-18 | not yet calculated | CVE-2025-49919 | https://vdp.patchstack.com/database/Wordpress/Plugin/eroom-zoom-meetings-webinar/vulnerability/wordpress-eroom-plugin-1-5-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| AncoraThemes–GlamChic | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes GlamChic glamchic allows PHP Local File Inclusion.This issue affects GlamChic: from n/a through <= 1.0.11. | 2025-12-18 | not yet calculated | CVE-2025-49941 | https://vdp.patchstack.com/database/Wordpress/Theme/glamchic/vulnerability/wordpress-glamchic-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Gardis | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Gardis gardis allows PHP Local File Inclusion.This issue affects Gardis: from n/a through <= 1.2.13. | 2025-12-18 | not yet calculated | CVE-2025-49942 | https://vdp.patchstack.com/database/Wordpress/Theme/gardis/vulnerability/wordpress-gardis-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Femme | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Femme femme allows PHP Local File Inclusion.This issue affects Femme: from n/a through <= 1.3.11. | 2025-12-18 | not yet calculated | CVE-2025-49943 | https://vdp.patchstack.com/database/Wordpress/Theme/femme/vulnerability/wordpress-femme-theme-1-3-11-local-file-inclusion-vulnerability?_s_id=cve |
| Mercury–Mercury | Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password. | 2025-12-16 | not yet calculated | CVE-2025-50398 | https://github.com/sezangel/IOT-vul/tree/main/Mercury/D196G/2 |
| Mercury–Mercury | Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter password. | 2025-12-16 | not yet calculated | CVE-2025-50401 | https://github.com/sezangel/IOT-vul/tree/main/Mercury/D196G/1 |
| igmpproxy–igmpproxy | igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN . | 2025-12-19 | not yet calculated | CVE-2025-50681 | https://github.com/pali/igmpproxy/issues/97 https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c https://gist.github.com/miora-sora/dac1612d16c45c2aedb8605478adc28f |
| MicroStudio–MircoStudio | A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of add_project_comment function. | 2025-12-15 | not yet calculated | CVE-2025-51962 | https://github.com/pmgl/microstudio/ https://github.com/Sunnyshineshow/vulnerability-research/blob/main/CVE-2025-51962/CVE-2025-51962.md |
| Ctera–Ctera | Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe. | 2025-12-16 | not yet calculated | CVE-2025-52196 | https://kb.ctera.com/docs/81x-portal https://gist.github.com/simonecris/99baeb07fe6e1803d461e44031819cd3 |
| AncoraThemes–Farm Agrico | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Farm Agrico farmagrico allows PHP Local File Inclusion.This issue affects Farm Agrico: from n/a through <= 1.3.11. | 2025-12-18 | not yet calculated | CVE-2025-52745 | https://vdp.patchstack.com/database/Wordpress/Theme/farmagrico/vulnerability/wordpress-farm-agrico-theme-1-3-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Faith & Hope | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Faith & Hope faith-hope allows PHP Local File Inclusion.This issue affects Faith & Hope: from n/a through <= 2.13.0. | 2025-12-18 | not yet calculated | CVE-2025-52768 | https://vdp.patchstack.com/database/Wordpress/Theme/faith-hope/vulnerability/wordpress-faith-hope-theme-2-13-0-local-file-inclusion-vulnerability?_s_id=cve |
| jupyter–nbconvert | The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert –to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. As of time of publication, no known patches exist. | 2025-12-17 | not yet calculated | CVE-2025-53000 | https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports |
| Dell–Dell | The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions, | 2025-12-17 | not yet calculated | CVE-2025-53398 | https://www.portrait.com/dell/ https://www.portrait.com/dell-security-cve-updates/ |
| AncoraThemes–Exit Game | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Exit Game exit-game allows PHP Local File Inclusion.This issue affects Exit Game: from n/a through <= 1.4.3. | 2025-12-18 | not yet calculated | CVE-2025-53429 | https://vdp.patchstack.com/database/Wordpress/Theme/exit-game/vulnerability/wordpress-exit-game-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Etta | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Etta etta allows PHP Local File Inclusion.This issue affects Etta: from n/a through <= 1.14.0. | 2025-12-18 | not yet calculated | CVE-2025-53430 | https://vdp.patchstack.com/database/Wordpress/Theme/etta/vulnerability/wordpress-etta-theme-1-14-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Emberlyn | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Emberlyn emberlyn allows PHP Local File Inclusion.This issue affects Emberlyn: from n/a through <= 1.3.1. | 2025-12-18 | not yet calculated | CVE-2025-53431 | https://vdp.patchstack.com/database/Wordpress/Theme/emberlyn/vulnerability/wordpress-emberlyn-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Echo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Echo echo allows PHP Local File Inclusion.This issue affects Echo: from n/a through <= 1.15.0. | 2025-12-18 | not yet calculated | CVE-2025-53432 | https://vdp.patchstack.com/database/Wordpress/Theme/echo/vulnerability/wordpress-echo-theme-1-15-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–EasyEat | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0. | 2025-12-18 | not yet calculated | CVE-2025-53433 | https://vdp.patchstack.com/database/Wordpress/Theme/easyeat/vulnerability/wordpress-easyeat-theme-1-9-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–ChildHope | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes ChildHope childhope allows PHP Local File Inclusion.This issue affects ChildHope: from n/a through <= 1.1.8. | 2025-12-18 | not yet calculated | CVE-2025-53434 | https://vdp.patchstack.com/database/Wordpress/Theme/childhope/vulnerability/wordpress-childhope-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Plan My Day | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Plan My Day planmyday allows PHP Local File Inclusion.This issue affects Plan My Day: from n/a through <= 1.1.13. | 2025-12-18 | not yet calculated | CVE-2025-53435 | https://vdp.patchstack.com/database/Wordpress/Theme/planmyday/vulnerability/wordpress-plan-my-day-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme–Monki | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in BZOTheme Monki monki allows PHP Local File Inclusion.This issue affects Monki: from n/a through <= 2.0.4. | 2025-12-18 | not yet calculated | CVE-2025-53436 | https://vdp.patchstack.com/database/Wordpress/Theme/monki/vulnerability/wordpress-monki-theme-2-0-4-local-file-inclusion-vulnerability?_s_id=cve |
| ApusTheme–Greenorganic | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ApusTheme Greenorganic greenorganic allows PHP Local File Inclusion.This issue affects Greenorganic: from n/a through <= 2.45. | 2025-12-18 | not yet calculated | CVE-2025-53437 | https://vdp.patchstack.com/database/Wordpress/Theme/greenorganic/vulnerability/wordpress-greenorganic-theme-2-45-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–FitLine | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes FitLine fitline allows PHP Local File Inclusion.This issue affects FitLine: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-53438 | https://vdp.patchstack.com/database/Wordpress/Theme/fitline/vulnerability/wordpress-fitline-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Harper | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13. | 2025-12-18 | not yet calculated | CVE-2025-53439 | https://vdp.patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Greeny | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Greeny greeny allows PHP Local File Inclusion.This issue affects Greeny: from n/a through <= 2.6. | 2025-12-18 | not yet calculated | CVE-2025-53441 | https://vdp.patchstack.com/database/Wordpress/Theme/greeny/vulnerability/wordpress-greeny-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Rentic | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Rentic rentic allows PHP Local File Inclusion.This issue affects Rentic: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53442 | https://vdp.patchstack.com/database/Wordpress/Theme/rentic/vulnerability/wordpress-rentic-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Smash | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Smash smash allows PHP Local File Inclusion.This issue affects Smash: from n/a through <= 1.7. | 2025-12-18 | not yet calculated | CVE-2025-53443 | https://vdp.patchstack.com/database/Wordpress/Theme/smash/vulnerability/wordpress-smash-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Catwalk | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-53445 | https://vdp.patchstack.com/database/Wordpress/Theme/catwalk/vulnerability/wordpress-catwalk-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Beautique | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Beautique beautique allows PHP Local File Inclusion.This issue affects Beautique: from n/a through <= 1.5. | 2025-12-18 | not yet calculated | CVE-2025-53446 | https://vdp.patchstack.com/database/Wordpress/Theme/beautique/vulnerability/wordpress-beautique-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Assembly | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53447 | https://vdp.patchstack.com/database/Wordpress/Theme/assembly/vulnerability/wordpress-assembly-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Rally | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53448 | https://vdp.patchstack.com/database/Wordpress/Theme/rally/vulnerability/wordpress-rally-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Convex | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11. | 2025-12-18 | not yet calculated | CVE-2025-53449 | https://vdp.patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Hygia | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Hygia hygia allows PHP Local File Inclusion.This issue affects Hygia: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-53453 | https://vdp.patchstack.com/database/Wordpress/Theme/hygia/vulnerability/wordpress-hygia-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Dell–Dell | An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during installation and uninstallation. A low-privileged attacker with local access could potentially exploit this, leading to elevation of privileges. | 2025-12-17 | not yet calculated | CVE-2025-53919 | https://portrait.com/dell https://www.portrait.com/dell-security-cve-updates/ |
| galette–galette | Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-53922 | https://github.com/galette/galette/security/advisories/GHSA-5jp7-5c38-3pv6 |
| WC Lovers–WCFM Frontend Manager for WooCommerce | Missing Authorization vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce wc-frontend-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through <= 6.7.21. | 2025-12-16 | not yet calculated | CVE-2025-54004 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-frontend-manager/vulnerability/wordpress-wcfm-frontend-manager-for-woocommerce-plugin-6-7-21-broken-access-control-vulnerability?_s_id=cve |
| sonalsinha21–SKT Page Builder | Missing Authorization vulnerability in sonalsinha21 SKT Page Builder skt-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SKT Page Builder: from n/a through <= 4.9. | 2025-12-16 | not yet calculated | CVE-2025-54005 | https://vdp.patchstack.com/database/Wordpress/Plugin/skt-builder/vulnerability/wordpress-skt-page-builder-plugin-4-9-broken-access-control-vulnerability?_s_id=cve |
| CreativeMindsSolutions–CM On Demand Search And Replace | Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.4. | 2025-12-16 | not yet calculated | CVE-2025-54045 | https://vdp.patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| BoldThemes–DentiCare | Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3. | 2025-12-18 | not yet calculated | CVE-2025-54723 | https://vdp.patchstack.com/database/Wordpress/Theme/denticare/vulnerability/wordpress-denticare-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Tyler Moore–Super Blank | Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Blank: from n/a through <= 1.2.0. | 2025-12-18 | not yet calculated | CVE-2025-54741 | https://vdp.patchstack.com/database/Wordpress/Plugin/super-blank/vulnerability/wordpress-super-blank-plugin-1-2-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| mkscripts–Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6. | 2025-12-18 | not yet calculated | CVE-2025-54743 | https://vdp.patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-5-2-1-6-other-vulnerability-type-vulnerability?_s_id=cve |
| miniOrange–miniOrange’s Google Authenticator | Missing Authorization vulnerability in miniOrange miniOrange’s Google Authenticator miniorange-2-factor-authentication allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniOrange’s Google Authenticator: from n/a through <= 6.1.1. | 2025-12-18 | not yet calculated | CVE-2025-54745 | https://vdp.patchstack.com/database/Wordpress/Plugin/miniorange-2-factor-authentication/vulnerability/wordpress-miniorange-s-google-authenticator-plugin-6-1-1-broken-access-control-vulnerability?_s_id=cve |
| RomanCode–MapSVG | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in RomanCode MapSVG mapsvg allows Path Traversal.This issue affects MapSVG: from n/a through < 8.6.12. | 2025-12-18 | not yet calculated | CVE-2025-54748 | https://vdp.patchstack.com/database/Wordpress/Plugin/mapsvg/vulnerability/wordpress-mapsvg-plugin-8-6-12-arbitrary-file-download-vulnerability?_s_id=cve |
| WPXPO–PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36. | 2025-12-18 | not yet calculated | CVE-2025-54751 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-4-1-36-broken-access-control-vulnerability?_s_id=cve |
| WPXPO–PostX | Incorrect Privilege Assignment vulnerability in WPXPO PostX ultimate-post allows Privilege Escalation.This issue affects PostX: from n/a through <= 4.1.35. | 2025-12-18 | not yet calculated | CVE-2025-55707 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-4-1-35-privilege-escalation-vulnerability?_s_id=cve |
| TOTOLINK–TOTOLINK | TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName. | 2025-12-15 | not yet calculated | CVE-2025-55893 | https://www.totolink.net/ https://github.com/l0tk3/CVES/blob/main/CVE-2025-55893.pdf |
| TOTOLINK–TOTOLINK | TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote). | 2025-12-15 | not yet calculated | CVE-2025-55895 | https://www.totolink.net/ https://github.com/l0tk3/CVES/blob/main/CVE-2025-55895.pdf |
| TOTOLINK–TOTOLINK | TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter. | 2025-12-15 | not yet calculated | CVE-2025-55901 | https://www.totolink.net https://github.com/l0tk3/CVES/blob/main/CVE-2025-55901.pdf |
| Dify–Dify | Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. | 2025-12-18 | not yet calculated | CVE-2025-56157 | http://dify.com https://github.com/langgenius/dify https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd |
| venusweb–Logtik | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in venusweb Logtik logtik allows Reflected XSS.This issue affects Logtik: from n/a through <= 2.3. | 2025-12-18 | not yet calculated | CVE-2025-57897 | https://vdp.patchstack.com/database/Wordpress/Theme/logtik/vulnerability/wordpress-logtik-theme-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| galette–galette | Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-58052 | https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx |
| galette–galette | Galette is a membership management web application for non profit organizations. Prior to version 1.2.0, while updating any existing account with a self forged POST request, one can gain higher privileges. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-58053 | https://github.com/galette/galette/security/advisories/GHSA-r7x8-6r56-498r |
| FreshRSS–FreshRSS | FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it’s possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue. | 2025-12-15 | not yet calculated | CVE-2025-58173 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293 https://github.com/FreshRSS/FreshRSS/pull/7878 https://github.com/FreshRSS/FreshRSS/pull/7971 https://github.com/FreshRSS/FreshRSS/pull/7979 https://github.com/FreshRSS/FreshRSS/commit/79604aa4b3051f083d1734bd9e82c6a89d785c5a#diff-49280171b6e7964e21a0270427e56eacb47b8ac562593a01ad4bc74b49f840c7R135 https://github.com/FreshRSS/FreshRSS/commit/dbbae15a8458679db0f4540dacdbdcff9c02ec8c#diff-63f610c36d0f2555c1787f6d0804f46f4df6e0f918dfe03408309039abf6efebL85-L88 https://github.com/FreshRSS/FreshRSS/commit/ee175dd6169a016fc898fac62d046e22c205dec0#diff-6ebff7743ede829cf5a7f0e4566b42023a2d4779cc8d7e96fefec116f2292174R190-R194 |
| axiomthemes–Paragon | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Paragon paragon allows PHP Local File Inclusion.This issue affects Paragon: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-58225 | https://vdp.patchstack.com/database/Wordpress/Theme/paragon/vulnerability/wordpress-paragon-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Woo Hoo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Woo Hoo woohoo allows PHP Local File Inclusion.This issue affects Woo Hoo: from n/a through <= 1.25. | 2025-12-18 | not yet calculated | CVE-2025-58706 | https://vdp.patchstack.com/database/Wordpress/Theme/woohoo/vulnerability/wordpress-woo-hoo-theme-1-25-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–777 | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes 777 triple-seven allows PHP Local File Inclusion.This issue affects 777: from n/a through <= 1.3. | 2025-12-18 | not yet calculated | CVE-2025-58708 | https://vdp.patchstack.com/database/Wordpress/Theme/triple-seven/vulnerability/wordpress-777-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Legacy | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Legacy legacy allows PHP Local File Inclusion.This issue affects Legacy: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-58709 | https://vdp.patchstack.com/database/Wordpress/Theme/legacy/vulnerability/wordpress-legacy-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| e-plugins–Hotel Listing | Incorrect Privilege Assignment vulnerability in e-plugins Hotel Listing hotel-listing allows Privilege Escalation.This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2025-12-18 | not yet calculated | CVE-2025-58710 | https://vdp.patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-privilege-escalation-vulnerability?_s_id=cve |
| axiomthemes–Algenix | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Algenix algenix allows PHP Local File Inclusion.This issue affects Algenix: from n/a through <= 1.0. | 2025-12-18 | not yet calculated | CVE-2025-58803 | https://vdp.patchstack.com/database/Wordpress/Theme/algenix/vulnerability/wordpress-algenix-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| javothemes–Javo Core | Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529. | 2025-12-18 | not yet calculated | CVE-2025-58877 | https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve |
| AncoraThemes–Festy | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0. | 2025-12-18 | not yet calculated | CVE-2025-58879 | https://vdp.patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Pathfinder | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Pathfinder pathfinder allows PHP Local File Inclusion.This issue affects Pathfinder: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58885 | https://vdp.patchstack.com/database/Wordpress/Theme/pathfinder/vulnerability/wordpress-pathfinder-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–The Flash | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion.This issue affects The Flash: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58888 | https://vdp.patchstack.com/database/Wordpress/Theme/theflash/vulnerability/wordpress-the-flash-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Towny | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion.This issue affects Towny: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58889 | https://vdp.patchstack.com/database/Wordpress/Theme/towny/vulnerability/wordpress-towny-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Playful | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0. | 2025-12-18 | not yet calculated | CVE-2025-58890 | https://vdp.patchstack.com/database/Wordpress/Theme/playful/vulnerability/wordpress-playful-theme-1-19-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Sanger | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Sanger sanger allows PHP Local File Inclusion.This issue affects Sanger: from n/a through <= 1.24.0. | 2025-12-18 | not yet calculated | CVE-2025-58891 | https://vdp.patchstack.com/database/Wordpress/Theme/sanger/vulnerability/wordpress-sanger-theme-1-24-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Tourimo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-58892 | https://vdp.patchstack.com/database/Wordpress/Theme/tourimo/vulnerability/wordpress-tourimo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Alright | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1. | 2025-12-18 | not yet calculated | CVE-2025-58893 | https://vdp.patchstack.com/database/Wordpress/Theme/alright/vulnerability/wordpress-alright-theme-1-6-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Good Mood | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58894 | https://vdp.patchstack.com/database/Wordpress/Theme/good-mood/vulnerability/wordpress-good-mood-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Integro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion.This issue affects Integro: from n/a through <= 1.8.0. | 2025-12-18 | not yet calculated | CVE-2025-58895 | https://vdp.patchstack.com/database/Wordpress/Theme/integro/vulnerability/wordpress-integro-theme-1-8-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Otaku | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion.This issue affects Otaku: from n/a through <= 1.8.0. | 2025-12-18 | not yet calculated | CVE-2025-58896 | https://vdp.patchstack.com/database/Wordpress/Theme/otaku/vulnerability/wordpress-otaku-theme-1-8-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–HealthHub | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion.This issue affects HealthHub: from n/a through <= 1.3.0. | 2025-12-18 | not yet calculated | CVE-2025-58898 | https://vdp.patchstack.com/database/Wordpress/Theme/healthhub/vulnerability/wordpress-healthhub-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Frame | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Frame frame allows PHP Local File Inclusion.This issue affects Frame: from n/a through <= 2.4.0. | 2025-12-18 | not yet calculated | CVE-2025-58899 | https://vdp.patchstack.com/database/Wordpress/Theme/frame/vulnerability/wordpress-frame-theme-2-4-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–UniTravel | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes UniTravel unitravel allows PHP Local File Inclusion.This issue affects UniTravel: from n/a through <= 1.4.2. | 2025-12-18 | not yet calculated | CVE-2025-58900 | https://vdp.patchstack.com/database/Wordpress/Theme/unitravel/vulnerability/wordpress-unitravel-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Takeout | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Takeout takeout allows PHP Local File Inclusion.This issue affects Takeout: from n/a through <= 1.3.0. | 2025-12-18 | not yet calculated | CVE-2025-58901 | https://vdp.patchstack.com/database/Wordpress/Theme/takeout/vulnerability/wordpress-takeout-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Critique | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Critique critique allows PHP Local File Inclusion.This issue affects Critique: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58923 | https://vdp.patchstack.com/database/Wordpress/Theme/critique/vulnerability/wordpress-critique-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Neptunus | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Neptunus neptunus allows PHP Local File Inclusion.This issue affects Neptunus: from n/a through <= 1.0.11. | 2025-12-18 | not yet calculated | CVE-2025-58925 | https://vdp.patchstack.com/database/Wordpress/Theme/neptunus/vulnerability/wordpress-neptunus-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Cerebrum | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Cerebrum cerebrum allows PHP Local File Inclusion.This issue affects Cerebrum: from n/a through <= 1.12. | 2025-12-18 | not yet calculated | CVE-2025-58926 | https://vdp.patchstack.com/database/Wordpress/Theme/cerebrum/vulnerability/wordpress-cerebrum-theme-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Stallion | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Stallion stallion allows PHP Local File Inclusion.This issue affects Stallion: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58927 | https://vdp.patchstack.com/database/Wordpress/Theme/stallion/vulnerability/wordpress-stallion-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Heart | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8. | 2025-12-18 | not yet calculated | CVE-2025-58928 | https://vdp.patchstack.com/database/Wordpress/Theme/heart/vulnerability/wordpress-heart-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Pantry | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-58929 | https://vdp.patchstack.com/database/Wordpress/Theme/pantry/vulnerability/wordpress-pantry-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–FitFlex | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes FitFlex fitflex allows PHP Local File Inclusion.This issue affects FitFlex: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-58930 | https://vdp.patchstack.com/database/Wordpress/Theme/fitflex/vulnerability/wordpress-fitflex-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Palatio | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion.This issue affects Palatio: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-58931 | https://vdp.patchstack.com/database/Wordpress/Theme/palatio/vulnerability/wordpress-palatio-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Prisma | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10. | 2025-12-18 | not yet calculated | CVE-2025-58932 | https://vdp.patchstack.com/database/Wordpress/Theme/prisma/vulnerability/wordpress-prisma-theme-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Anubis | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25. | 2025-12-18 | not yet calculated | CVE-2025-58933 | https://vdp.patchstack.com/database/Wordpress/Theme/anubis/vulnerability/wordpress-anubis-theme-1-25-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–The Gig | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0. | 2025-12-18 | not yet calculated | CVE-2025-58934 | https://vdp.patchstack.com/database/Wordpress/Theme/thegig/vulnerability/wordpress-the-gig-theme-1-18-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Lunna | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Lunna lunna allows PHP Local File Inclusion.This issue affects Lunna: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58935 | https://vdp.patchstack.com/database/Wordpress/Theme/lunna/vulnerability/wordpress-lunna-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Catamaran | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58936 | https://vdp.patchstack.com/database/Wordpress/Theme/catamaran/vulnerability/wordpress-catamaran-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Tacticool | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Tacticool tacticool allows PHP Local File Inclusion.This issue affects Tacticool: from n/a through <= 1.0.13. | 2025-12-18 | not yet calculated | CVE-2025-58937 | https://vdp.patchstack.com/database/Wordpress/Theme/tacticool/vulnerability/wordpress-tacticool-theme-1-0-13-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeAtelier–IDonatePro | Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9. | 2025-12-18 | not yet calculated | CVE-2025-58938 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate-pro/vulnerability/wordpress-idonatepro-plugin-2-1-9-broken-access-control-vulnerability-2?_s_id=cve |
| axiomthemes–Basil | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12. | 2025-12-18 | not yet calculated | CVE-2025-58940 | https://vdp.patchstack.com/database/Wordpress/Theme/basil/vulnerability/wordpress-basil-theme-1-3-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Fabric | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0. | 2025-12-18 | not yet calculated | CVE-2025-58941 | https://vdp.patchstack.com/database/Wordpress/Theme/fabric/vulnerability/wordpress-fabric-theme-1-5-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Dwell | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0. | 2025-12-18 | not yet calculated | CVE-2025-58942 | https://vdp.patchstack.com/database/Wordpress/Theme/dwell/vulnerability/wordpress-dwell-theme-1-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Agricola | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Agricola agricola allows PHP Local File Inclusion.This issue affects Agricola: from n/a through <= 1.1.0. | 2025-12-18 | not yet calculated | CVE-2025-58943 | https://vdp.patchstack.com/database/Wordpress/Theme/agricola/vulnerability/wordpress-agricola-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Manufactory | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-58944 | https://vdp.patchstack.com/database/Wordpress/Theme/manufactory/vulnerability/wordpress-manufactory-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–EcoGrow | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes EcoGrow ecogrow allows PHP Local File Inclusion.This issue affects EcoGrow: from n/a through <= 1.7. | 2025-12-18 | not yet calculated | CVE-2025-58945 | https://vdp.patchstack.com/database/Wordpress/Theme/ecogrow/vulnerability/wordpress-ecogrow-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Vocal | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12. | 2025-12-18 | not yet calculated | CVE-2025-58946 | https://vdp.patchstack.com/database/Wordpress/Theme/vocal/vulnerability/wordpress-vocal-theme-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Athos | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-58947 | https://vdp.patchstack.com/database/Wordpress/Theme/athos/vulnerability/wordpress-athos-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Aromatica | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Aromatica aromatica allows PHP Local File Inclusion.This issue affects Aromatica: from n/a through <= 1.8. | 2025-12-18 | not yet calculated | CVE-2025-58948 | https://vdp.patchstack.com/database/Wordpress/Theme/aromatica/vulnerability/wordpress-aromatica-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Spock | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58949 | https://vdp.patchstack.com/database/Wordpress/Theme/spock/vulnerability/wordpress-spock-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Lione | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Lione lione allows PHP Local File Inclusion.This issue affects Lione: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58950 | https://vdp.patchstack.com/database/Wordpress/Theme/lione/vulnerability/wordpress-lione-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| smartcms–Advance Seat Reservation Management for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1. | 2025-12-18 | not yet calculated | CVE-2025-58951 | https://vdp.patchstack.com/database/Wordpress/Plugin/scw-seat-reservation/vulnerability/wordpress-advance-seat-reservation-management-for-woocommerce-plugin-3-1-sql-injection-vulnerability?_s_id=cve |
| loopus–WP Attractive Donations System – Easy Stripe & Paypal donations | Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System – Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Cross Site Request Forgery.This issue affects WP Attractive Donations System – Easy Stripe & Paypal donations: from n/a through <= 1.25. | 2025-12-16 | not yet calculated | CVE-2025-58999 | https://vdp.patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeNectar–Salient Core | Missing Authorization vulnerability in ThemeNectar Salient Core salient-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salient Core: from n/a through <= 3.0.8. | 2025-12-16 | not yet calculated | CVE-2025-59001 | https://vdp.patchstack.com/database/Wordpress/Plugin/salient-core/vulnerability/wordpress-salient-core-plugin-3-0-8-broken-access-control-vulnerability?_s_id=cve |
| Astoundify–Listify | Cross-Site Request Forgery (CSRF) vulnerability in Astoundify Listify listify allows Cross Site Request Forgery.This issue affects Listify: from n/a through <= 3.2.5. | 2025-12-16 | not yet calculated | CVE-2025-59009 | https://vdp.patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-theme-3-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes–Sale! Immigration law, Visa services support, Migration Agent Consulting | Incorrect Privilege Assignment vulnerability in Jthemes Sale! Immigration law, Visa services support, Migration Agent Consulting immiex allows Privilege Escalation.This issue affects Sale! Immigration law, Visa services support, Migration Agent Consulting: from n/a through <= 1.5.8. | 2025-12-18 | not yet calculated | CVE-2025-59134 | https://vdp.patchstack.com/database/Wordpress/Theme/immiex/vulnerability/wordpress-sale-immigration-law-visa-services-support-migration-agent-consulting-theme-1-5-8-privilege-escalation-vulnerability?_s_id=cve |
| ASUS–live update | Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue. | 2025-12-17 | not yet calculated | CVE-2025-59374 | https://www.asus.com/news/hqfgvuyz6uyayje1/ |
| QNAP Systems Inc.–QTS | An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-59385 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| Inaba Denki Sangyo Co., Ltd.–CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. | 2025-12-16 | not yet calculated | CVE-2025-59479 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| nanomq–nanomq | NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and vanila subscription. This is fixed in version 0.24.4. As a workaround, disable shared subscription. | 2025-12-15 | not yet calculated | CVE-2025-59947 | https://github.com/nanomq/nanomq/security/advisories/GHSA-98f4-cmg8-x7f3 https://github.com/nanomq/nanomq/issues/2110 https://github.com/nanomq/nanomq/commit/5f5581054bb92f102cf99251e8af2f43763d457b |
| AncoraThemes–Chinchilla | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-60042 | https://vdp.patchstack.com/database/Wordpress/Theme/chinchilla/vulnerability/wordpress-chinchilla-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Wanderic | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Wanderic wanderic allows PHP Local File Inclusion.This issue affects Wanderic: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60043 | https://vdp.patchstack.com/database/Wordpress/Theme/wanderic/vulnerability/wordpress-wanderic-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Fribbo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Fribbo fribbo allows PHP Local File Inclusion.This issue affects Fribbo: from n/a through <= 1.1.0. | 2025-12-18 | not yet calculated | CVE-2025-60044 | https://vdp.patchstack.com/database/Wordpress/Theme/fribbo/vulnerability/wordpress-fribbo-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeAtelier–IDonatePro | Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through <= 2.1.11. | 2025-12-18 | not yet calculated | CVE-2025-60045 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate-pro/vulnerability/wordpress-idonatepro-plugin-2-1-11-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes–HeartStar | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes HeartStar heartstar allows PHP Local File Inclusion.This issue affects HeartStar: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-60046 | https://vdp.patchstack.com/database/Wordpress/Theme/heartstar/vulnerability/wordpress-heartstar-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–IPharm | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes IPharm ipharm allows PHP Local File Inclusion.This issue affects IPharm: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-60047 | https://vdp.patchstack.com/database/Wordpress/Theme/ipharm/vulnerability/wordpress-ipharm-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Tripster | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60048 | https://vdp.patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Soleil | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Soleil soleil allows PHP Local File Inclusion.This issue affects Soleil: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-60049 | https://vdp.patchstack.com/database/Wordpress/Theme/soleil/vulnerability/wordpress-soleil-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Panda | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21. | 2025-12-18 | not yet calculated | CVE-2025-60050 | https://vdp.patchstack.com/database/Wordpress/Theme/panda/vulnerability/wordpress-panda-theme-1-21-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Rare Radio | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Rare Radio rareradio allows PHP Local File Inclusion.This issue affects Rare Radio: from n/a through <= 1.0.15.1. | 2025-12-18 | not yet calculated | CVE-2025-60051 | https://vdp.patchstack.com/database/Wordpress/Theme/rareradio/vulnerability/wordpress-rare-radio-theme-1-0-15-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–W&D | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes W&D wd allows PHP Local File Inclusion.This issue affects W&D: from n/a through <= 1.0. | 2025-12-18 | not yet calculated | CVE-2025-60052 | https://vdp.patchstack.com/database/Wordpress/Theme/wd/vulnerability/wordpress-w-d-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–MaxCube | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion.This issue affects MaxCube: from n/a through <= 1.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60053 | https://vdp.patchstack.com/database/Wordpress/Theme/maxcube/vulnerability/wordpress-maxcube-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–OnLeash | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes OnLeash onleash allows PHP Local File Inclusion.This issue affects OnLeash: from n/a through <= 1.5.2. | 2025-12-18 | not yet calculated | CVE-2025-60054 | https://vdp.patchstack.com/database/Wordpress/Theme/onleash/vulnerability/wordpress-onleash-theme-1-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Fabrica | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1. | 2025-12-18 | not yet calculated | CVE-2025-60055 | https://vdp.patchstack.com/database/Wordpress/Theme/fabrica/vulnerability/wordpress-fabrica-theme-1-8-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Winger | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Winger winger allows PHP Local File Inclusion.This issue affects Winger: from n/a through <= 1.0.16. | 2025-12-18 | not yet calculated | CVE-2025-60056 | https://vdp.patchstack.com/database/Wordpress/Theme/winger/vulnerability/wordpress-winger-theme-1-0-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–DJ Rainflow | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes DJ Rainflow dj-rainflow allows PHP Local File Inclusion.This issue affects DJ Rainflow: from n/a through <= 1.3.13. | 2025-12-18 | not yet calculated | CVE-2025-60057 | https://vdp.patchstack.com/database/Wordpress/Theme/dj-rainflow/vulnerability/wordpress-dj-rainflow-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–DetailX | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes DetailX detailx allows PHP Local File Inclusion.This issue affects DetailX: from n/a through <= 1.10.0. | 2025-12-18 | not yet calculated | CVE-2025-60058 | https://vdp.patchstack.com/database/Wordpress/Theme/detailx/vulnerability/wordpress-detailx-theme-1-10-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–smart SEO | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.12. | 2025-12-18 | not yet calculated | CVE-2025-60059 | https://vdp.patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Pubzinne | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Pubzinne pubzinne allows PHP Local File Inclusion.This issue affects Pubzinne: from n/a through <= 1.0.12. | 2025-12-18 | not yet calculated | CVE-2025-60060 | https://vdp.patchstack.com/database/Wordpress/Theme/pubzinne/vulnerability/wordpress-pubzinne-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Kicker | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0. | 2025-12-18 | not yet calculated | CVE-2025-60061 | https://vdp.patchstack.com/database/Wordpress/Theme/kicker/vulnerability/wordpress-kicker-theme-2-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| mmetrodw–tPlayer | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6. | 2025-12-18 | not yet calculated | CVE-2025-60062 | https://vdp.patchstack.com/database/Wordpress/Plugin/tplayer-html5-audio-player-with-playlist/vulnerability/wordpress-tplayer-plugin-1-2-1-6-sql-injection-vulnerability?_s_id=cve |
| axiomthemes–Rosalinda | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion.This issue affects Rosalinda: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-60063 | https://vdp.patchstack.com/database/Wordpress/Theme/rosalinda/vulnerability/wordpress-rosalinda-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Renewal | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Renewal renewal allows PHP Local File Inclusion.This issue affects Renewal: from n/a through <= 1.2.2. | 2025-12-18 | not yet calculated | CVE-2025-60064 | https://vdp.patchstack.com/database/Wordpress/Theme/renewal/vulnerability/wordpress-renewal-theme-1-2-2-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Pinevale | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Pinevale pinevale allows PHP Local File Inclusion.This issue affects Pinevale: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-60065 | https://vdp.patchstack.com/database/Wordpress/Theme/pinevale/vulnerability/wordpress-pinevale-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Katelyn | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60066 | https://vdp.patchstack.com/database/Wordpress/Theme/katelyn/vulnerability/wordpress-katelyn-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes–Giardino | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10. | 2025-12-18 | not yet calculated | CVE-2025-60067 | https://vdp.patchstack.com/database/Wordpress/Theme/giardino/vulnerability/wordpress-giardino-theme-1-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| javothemes–Javo Core | Improper Control of Generation of Code (‘Code Injection’) vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266. | 2025-12-18 | not yet calculated | CVE-2025-60068 | https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-arbitrary-code-execution-vulnerability?_s_id=cve |
| ThemeMove–MinimogWP | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6. | 2025-12-18 | not yet calculated | CVE-2025-60069 | https://vdp.patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-2-local-file-inclusion-vulnerability?_s_id=cve |
| The4–Molla | Improper Control of Generation of Code (‘Code Injection’) vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13. | 2025-12-18 | not yet calculated | CVE-2025-60070 | https://vdp.patchstack.com/database/Wordpress/Theme/molla/vulnerability/wordpress-molla-multipurpose-responsive-shopify-theme-1-5-13-arbitrary-code-execution-vulnerability?_s_id=cve |
| don-themes–Riode | Multi-Purpose WooCommerce | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in don-themes Riode | Multi-Purpose WooCommerce riode allows PHP Local File Inclusion.This issue affects Riode | Multi-Purpose WooCommerce: from n/a through <= 1.6.23. | 2025-12-18 | not yet calculated | CVE-2025-60071 | https://vdp.patchstack.com/database/Wordpress/Theme/riode/vulnerability/wordpress-riode-multi-purpose-woocommerce-theme-1-6-23-local-file-inclusion-vulnerability?_s_id=cve |
| Processby–Anchor smooth scroll | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Processby Anchor smooth scroll anchor-smooth-scroll allows PHP Local File Inclusion.This issue affects Anchor smooth scroll: from n/a through <= 1.0.2. | 2025-12-18 | not yet calculated | CVE-2025-60072 | https://vdp.patchstack.com/database/Wordpress/Plugin/anchor-smooth-scroll/vulnerability/wordpress-anchor-smooth-scroll-plugin-1-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| jbhovik–Ray Enterprise Translation | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in jbhovik Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1. | 2025-12-18 | not yet calculated | CVE-2025-60076 | https://vdp.patchstack.com/database/Wordpress/Plugin/lingotek-translation/vulnerability/wordpress-ray-enterprise-translation-plugin-1-7-1-local-file-inclusion-vulnerability?_s_id=cve |
| YayCommerce–YayPricing | Missing Authorization vulnerability in YayCommerce YayPricing yaypricing allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects YayPricing: from n/a through <= 3.5.3. | 2025-12-18 | not yet calculated | CVE-2025-60077 | https://vdp.patchstack.com/database/Wordpress/Plugin/yaypricing/vulnerability/wordpress-yaypricing-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| Agence web Eoxia – Montpellier–Task Manager | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Agence web Eoxia – Montpellier Task Manager task-manager allows PHP Local File Inclusion.This issue affects Task Manager: from n/a through <= 3.0.2. | 2025-12-18 | not yet calculated | CVE-2025-60078 | https://vdp.patchstack.com/database/Wordpress/Plugin/task-manager/vulnerability/wordpress-task-manager-plugin-3-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| bPlugins–Parallax Section block | Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through <= 1.0.9. | 2025-12-18 | not yet calculated | CVE-2025-60079 | https://vdp.patchstack.com/database/Wordpress/Plugin/parallax-section/vulnerability/wordpress-parallax-section-block-plugin-1-0-9-broken-authentication-vulnerability?_s_id=cve |
| add-ons.org–PDF for Gravity Forms + Drag And Drop Template Builder | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.3.0. | 2025-12-18 | not yet calculated | CVE-2025-60080 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/vulnerability/wordpress-pdf-for-gravity-forms-drag-and-drop-template-builder-plugin-6-3-0-php-object-injection-vulnerability?_s_id=cve |
| add-ons.org–PDF for Contact Form 7 | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.3.4. | 2025-12-18 | not yet calculated | CVE-2025-60081 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-contact-form-7/vulnerability/wordpress-pdf-for-contact-form-7-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org–PDF for WPForms | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60082 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org–PDF Invoice Builder for WooCommerce | Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 6.3.2. | 2025-12-18 | not yet calculated | CVE-2025-60083 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoice-builder-for-woocommerce-plugin-6-3-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org–PDF for Elementor Forms + Drag And Drop Template Builder | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60084 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability?_s_id=cve |
| Matt–WP Voting Contest | Missing Authorization vulnerability in Matt WP Voting Contest wp-voting-contest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Voting Contest: from n/a through <= 5.8. | 2025-12-18 | not yet calculated | CVE-2025-60086 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-voting-contest/vulnerability/wordpress-wp-voting-contest-plugin-5-8-broken-access-control-vulnerability?_s_id=cve |
| Saleswonder Team: Tobias–WebinarIgnition | Missing Authorization vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarIgnition: from n/a through <= 4.06.04. | 2025-12-18 | not yet calculated | CVE-2025-60088 | https://vdp.patchstack.com/database/Wordpress/Plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-05-13-broken-access-control-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms FreshDesk Plugin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5. | 2025-12-18 | not yet calculated | CVE-2025-60089 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms Insightly | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6. | 2025-12-18 | not yet calculated | CVE-2025-60090 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-insightly/vulnerability/wordpress-wp-gravity-forms-insightly-plugin-1-1-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms Zoho CRM and Bigin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9. | 2025-12-18 | not yet calculated | CVE-2025-60091 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms Constant Contact Plugin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2. | 2025-12-18 | not yet calculated | CVE-2025-60174 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-constant-contact/vulnerability/wordpress-wp-gravity-forms-constant-contact-plugin-plugin-1-1-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms HubSpot | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6. | 2025-12-18 | not yet calculated | CVE-2025-60178 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-hubspot/vulnerability/wordpress-wp-gravity-forms-hubspot-plugin-1-2-6-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks–WP Gravity Forms Salesforce | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1. | 2025-12-18 | not yet calculated | CVE-2025-60180 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-salesforce-crmperks/vulnerability/wordpress-wp-gravity-forms-salesforce-plugin-1-5-1-php-object-injection-vulnerability?_s_id=cve |
| Schiocco–Support Board | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7. | 2025-12-18 | not yet calculated | CVE-2025-60182 | https://vdp.patchstack.com/database/Wordpress/Plugin/supportboard/vulnerability/wordpress-support-board-plugin-3-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iceScrum–iceSrum | A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file. | 2025-12-15 | not yet calculated | CVE-2025-60786 | https://www.icescrum.com/download/ https://zdaylabs.com/CVE-2025-60786.html |
| Johnson Controls–iSTAReX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra , iSTAR Ultra SE | Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires. | 2025-12-17 | not yet calculated | CVE-2025-61736 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04 |
| Inaba Denki Sangyo Co., Ltd.–CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive. | 2025-12-16 | not yet calculated | CVE-2025-61976 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| QNAP Systems Inc.–QTS | An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62847 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62848 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| QNAP Systems Inc.–QTS | An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62849 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| Ampere–AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager. | 2025-12-16 | not yet calculated | CVE-2025-62862 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| Ampere–AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM PCIe driver that could result in an out-of-bounds write within PCIe driver’s S-EL0 address space. | 2025-12-16 | not yet calculated | CVE-2025-62863 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| Ampere–AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM MMCommunicate service that could result in an out-of-bounds write within the UEFI-MM Secure Partition context. | 2025-12-16 | not yet calculated | CVE-2025-62864 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| CridioStudio–ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-18 | not yet calculated | CVE-2025-63039 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-9-broken-access-control-vulnerability-2?_s_id=cve |
| MatrixAddons–Easy Invoice | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9. | 2025-12-18 | not yet calculated | CVE-2025-6324 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AncoraThemes–Inset | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Inset inset allows PHP Local File Inclusion.This issue affects Inset: from n/a through <= 1.18.0. | 2025-12-18 | not yet calculated | CVE-2025-6326 | https://vdp.patchstack.com/database/Wordpress/Theme/inset/vulnerability/wordpress-inset-1-18-0-local-file-inclusion-vulnerability?_s_id=cve |
| Dify–Dify | A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. | 2025-12-18 | not yet calculated | CVE-2025-63386 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9 |
| Dify–Dify | Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. | 2025-12-18 | not yet calculated | CVE-2025-63387 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af |
| Dify–Dify | A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. | 2025-12-18 | not yet calculated | CVE-2025-63388 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/5ded6d03e41d7d66ecb1b568bae3ff6c |
| Ollama-Ollama | A critical authentication bypass vulnerability exists in Ollama platform’s API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations. | 2025-12-18 | not yet calculated | CVE-2025-63389 | https://github.com/ollama/ollama/issues https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd |
| AynthingLLM–AnythingLLM | An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps. | 2025-12-18 | not yet calculated | CVE-2025-63390 | https://github.com/Mintplex-Labs/anything-llm/issues https://gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6d |
| Open-WebUI–Open-WebUI | An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers. | 2025-12-18 | not yet calculated | CVE-2025-63391 | https://github.com/open-webui/open-webui/issues https://gist.github.com/Cristliu/13c41b97285b776275bc8bfd3504e51b |
| Allsky WebUI–Allsky WebUI | A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE). | 2025-12-16 | not yet calculated | CVE-2025-63414 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/execute.php https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/ |
| GT Edge–GT Edge | An issue in GT Edge AI Platform Versions before v2.0.10-dev allows attackers to execute arbitrary code via injecting a crafted JSON payload into the Prompt window. | 2025-12-19 | not yet calculated | CVE-2025-63665 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/e5eefcef155e9dd14aaaaa49f9f94cd1 |
| yuv2ya16_X_c_–yuv2ya16_X_c_ | Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0. | 2025-12-18 | not yet calculated | CVE-2025-63757 | https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20698 https://gist.github.com/miora-sora/43c1c5616dd5b4f960a9d20296ef4833 https://ffmpeg.org/security.html |
| phpMsAdmin–phpMsAdmin | A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via the dbname parameter after a user is authenticated. | 2025-12-18 | not yet calculated | CVE-2025-63947 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-pending-phpMsAdmin.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-2025-63947.md |
| phpMsAdmin–phpMsAdmin | A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation. | 2025-12-18 | not yet calculated | CVE-2025-63948 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-pending-phpMsAdmin.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-2025-63948.md |
| yohanawi–yohanawi | A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the ‘error’ parameter in pages/room.php. | 2025-12-18 | not yet calculated | CVE-2025-63949 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Hotel-Management-System/CVE-pending-XSS.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Hotel-Management-System/CVE-2025-63949.md |
| to3k–Twittodon | An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The ‘obj’ parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-63950 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Twittodon/CVE-pending-Deserialization.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Twittodon/CVE-2025-63950.md |
| MiczFlor–RPi-Jukebox-RFID | An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The ‘rss’ GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-63951 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi-Jukebox-RFID/CVE-pending-Deserialization.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi-Jukebox-RFID/CVE-2025-63951.md |
| InvoicePlane –InvoicePlane | InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data. | 2025-12-16 | not yet calculated | CVE-2025-64012 | https://github.com/InvoicePlane/InvoicePlane/commit/debb446ceaa84efc136987fc1e21b268f34e47b0 https://gist.github.com/tarekramm/797073e9ae991211ff2ae71ed1190c7d |
| PenciDesign–Soledad | Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9. | 2025-12-18 | not yet calculated | CVE-2025-64188 | https://vdp.patchstack.com/database/Wordpress/Theme/soledad/vulnerability/wordpress-soledad-theme-8-6-9-privilege-escalation-vulnerability?_s_id=cve |
| 8theme–XStore Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6. | 2025-12-18 | not yet calculated | CVE-2025-64189 | https://vdp.patchstack.com/database/Wordpress/Plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme–XStore | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in 8theme XStore xstore allows Reflected XSS.This issue affects XStore: from n/a through < 9.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64191 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme–XStore | Missing Authorization vulnerability in 8theme XStore xstore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects XStore: from n/a through < 9.6. | 2025-12-18 | not yet calculated | CVE-2025-64192 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-broken-access-control-vulnerability?_s_id=cve |
| 8theme–XStore | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through < 9.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64193 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-1-local-file-inclusion-vulnerability?_s_id=cve |
| EverPress–Mailster | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in EverPress Mailster mailster allows Reflected XSS.This issue affects Mailster: from n/a through < 4.1.14. | 2025-12-18 | not yet calculated | CVE-2025-64203 | https://vdp.patchstack.com/database/Wordpress/Plugin/mailster/vulnerability/wordpress-mailster-plugin-4-1-14-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TieLabs–Jannah | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64205 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-local-file-inclusion-vulnerability?_s_id=cve |
| TieLabs–Jannah | Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64206 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve |
| TieLabs–Jannah | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in TieLabs Jannah jannah allows DOM-Based XSS.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64207 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| StylemixThemes–Masterstudy | Missing Authorization vulnerability in StylemixThemes Masterstudy masterstudy allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy: from n/a through < 4.8.122. | 2025-12-18 | not yet calculated | CVE-2025-64209 | https://vdp.patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve |
| StylemixThemes–MasterStudy LMS Pro | Insertion of Sensitive Information Into Sent Data vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16. | 2025-12-18 | not yet calculated | CVE-2025-64213 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-sensitive-data-exposure-vulnerability?_s_id=cve |
| StylemixThemes–MasterStudy LMS Pro | Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16. | 2025-12-18 | not yet calculated | CVE-2025-64214 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-arbitrary-content-deletion-vulnerability?_s_id=cve |
| ThemeGoods–Photography | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Photography photography allows Reflected XSS.This issue affects Photography: from n/a through <= 7.7.2. | 2025-12-18 | not yet calculated | CVE-2025-64217 | https://vdp.patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill–Passster | Insertion of Sensitive Information Into Sent Data vulnerability in WP Chill Passster content-protector allows Retrieve Embedded Sensitive Data.This issue affects Passster: from n/a through <= 4.2.19. | 2025-12-18 | not yet calculated | CVE-2025-64218 | https://vdp.patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-19-sensitive-data-exposure-vulnerability?_s_id=cve |
| designthemes–Reservation Plugin | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Reflected XSS.This issue affects Reservation Plugin: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-64221 | https://vdp.patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FantasticPlugins–WooCommerce Recover Abandoned Cart | Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64222 | https://vdp.patchstack.com/database/Wordpress/Plugin/rac/vulnerability/wordpress-woocommerce-recover-abandoned-cart-plugin-24-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| PenciDesign–PenNews | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in PenciDesign PenNews pennews allows PHP Local File Inclusion.This issue affects PenNews: from n/a through < 6.7.3. | 2025-12-18 | not yet calculated | CVE-2025-64223 | https://vdp.patchstack.com/database/Wordpress/Theme/pennews/vulnerability/wordpress-pennews-theme-6-7-3-local-file-inclusion-vulnerability?_s_id=cve |
| colabrio–Stockie Extra | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11. | 2025-12-18 | not yet calculated | CVE-2025-64225 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockie-extra/vulnerability/wordpress-stockie-extra-plugin-1-2-11-content-injection-vulnerability?_s_id=cve |
| BoldGrid–Client Invoicing by Sprout Invoices | Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7. | 2025-12-18 | not yet calculated | CVE-2025-64227 | https://vdp.patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-7-php-object-injection-vulnerability?_s_id=cve |
| WP Chill–Filr | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10. | 2025-12-18 | not yet calculated | CVE-2025-64230 | https://vdp.patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-10-arbitrary-file-deletion-vulnerability?_s_id=cve |
| RedefiningTheWeb–WordPress Contact Form 7 PDF, Google Sheet & Database | Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0. | 2025-12-18 | not yet calculated | CVE-2025-64231 | https://vdp.patchstack.com/database/Wordpress/Plugin/rtwwcfp-wordpress-contact-form-7-pdf/vulnerability/wordpress-wordpress-contact-form-7-pdf-google-sheet-database-plugin-3-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| BoldThemes–Codiqa | Deserialization of Untrusted Data vulnerability in BoldThemes Codiqa codiqa allows Object Injection.This issue affects Codiqa: from n/a through < 1.2.8. | 2025-12-18 | not yet calculated | CVE-2025-64233 | https://vdp.patchstack.com/database/Wordpress/Theme/codiqa/vulnerability/wordpress-codiqa-theme-1-2-8-php-object-injection-vulnerability?_s_id=cve |
| Graham–Quick Interest Slider | Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5. | 2025-12-16 | not yet calculated | CVE-2025-64237 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-interest-slider/vulnerability/wordpress-quick-interest-slider-plugin-3-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| NicolasKulka–WPS Bidouille | Missing Authorization vulnerability in NicolasKulka WPS Bidouille wps-bidouille allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPS Bidouille: from n/a through <= 1.33.1. | 2025-12-16 | not yet calculated | CVE-2025-64238 | https://vdp.patchstack.com/database/Wordpress/Plugin/wps-bidouille/vulnerability/wordpress-wps-bidouille-plugin-1-33-1-broken-access-control-vulnerability?_s_id=cve |
| Yoav Farhi–RTL Tester | Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2. | 2025-12-16 | not yet calculated | CVE-2025-64239 | https://vdp.patchstack.com/database/Wordpress/Plugin/rtl-tester/vulnerability/wordpress-rtl-tester-plugin-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| freshchat–Freshchat | Cross-Site Request Forgery (CSRF) vulnerability in freshchat Freshchat freshchat allows Cross Site Request Forgery.This issue affects Freshchat: from n/a through <= 2.3.4. | 2025-12-16 | not yet calculated | CVE-2025-64240 | https://vdp.patchstack.com/database/Wordpress/Plugin/freshchat/vulnerability/wordpress-freshchat-plugin-2-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Imtiaz Rayhan–WP Coupons and Deals | Missing Authorization vulnerability in Imtiaz Rayhan WP Coupons and Deals wp-coupons-and-deals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Coupons and Deals: from n/a through <= 3.2.4. | 2025-12-16 | not yet calculated | CVE-2025-64241 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-coupons-and-deals/vulnerability/wordpress-wp-coupons-and-deals-plugin-3-2-4-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett–Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.15. | 2025-12-16 | not yet calculated | CVE-2025-64242 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-15-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Directory Pro | Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | 2025-12-16 | not yet calculated | CVE-2025-64243 | https://vdp.patchstack.com/database/Wordpress/Plugin/directory-pro/vulnerability/wordpress-directory-pro-plugin-2-5-6-broken-access-control-vulnerability?_s_id=cve |
| Codexpert, Inc–Restrict Elementor Widgets, Columns and Sections | Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12. | 2025-12-16 | not yet calculated | CVE-2025-64244 | https://vdp.patchstack.com/database/Wordpress/Plugin/restrict-elementor-widgets/vulnerability/wordpress-restrict-elementor-widgets-columns-and-sections-plugin-1-12-broken-access-control-vulnerability?_s_id=cve |
| ryanpcmcquen–Import external attachments | Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12. | 2025-12-16 | not yet calculated | CVE-2025-64245 | https://vdp.patchstack.com/database/Wordpress/Plugin/import-external-attachments/vulnerability/wordpress-import-external-attachments-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve |
| netopsae–Accessibility by AudioEye | Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49. | 2025-12-16 | not yet calculated | CVE-2025-64246 | https://vdp.patchstack.com/database/Wordpress/Plugin/accessibility-by-audioeye/vulnerability/wordpress-accessibility-by-audioeye-plugin-1-0-49-broken-access-control-vulnerability?_s_id=cve |
| edmon.parker–Read More & Accordion | Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.4.1. | 2025-12-16 | not yet calculated | CVE-2025-64247 | https://vdp.patchstack.com/database/Wordpress/Plugin/expand-maker/vulnerability/wordpress-read-more-accordion-plugin-3-5-4-1-broken-access-control-vulnerability?_s_id=cve |
| emarket-design–Request a Quote | Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3. | 2025-12-16 | not yet calculated | CVE-2025-64248 | https://vdp.patchstack.com/database/Wordpress/Plugin/request-a-quote/vulnerability/wordpress-request-a-quote-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| WP-EXPERTS.IN–Protect WP Admin | Missing Authorization vulnerability in WP-EXPERTS.IN Protect WP Admin protect-wp-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protect WP Admin: from n/a through <= 4.1. | 2025-12-16 | not yet calculated | CVE-2025-64249 | https://vdp.patchstack.com/database/Wordpress/Plugin/protect-wp-admin/vulnerability/wordpress-protect-wp-admin-plugin-4-1-broken-access-control-vulnerability?_s_id=cve |
| wpWax–Directorist | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in wpWax Directorist directorist allows Phishing.This issue affects Directorist: from n/a through <= 8.5.6. | 2025-12-16 | not yet calculated | CVE-2025-64250 | https://vdp.patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-open-redirection-vulnerability?_s_id=cve |
| azzaroco–Ultimate Learning Pro | Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.3. | 2025-12-16 | not yet calculated | CVE-2025-64251 | https://vdp.patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-3-arbitrary-content-deletion-vulnerability?_s_id=cve |
| WordPress.org–Health Check & Troubleshooting | Path Traversal: ‘…/…//’ vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1. | 2025-12-16 | not yet calculated | CVE-2025-64253 | https://vdp.patchstack.com/database/Wordpress/Plugin/health-check/vulnerability/wordpress-health-check-troubleshooting-plugin-1-7-1-path-traversal-vulnerability?_s_id=cve |
| wpweb–Follow My Blog Post | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9. | 2025-12-18 | not yet calculated | CVE-2025-64258 | https://vdp.patchstack.com/database/Wordpress/Plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-3-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| Marco Milesi–ANAC XML Bandi di Gara | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Marco Milesi ANAC XML Bandi di Gara avcp allows Reflected XSS.This issue affects ANAC XML Bandi di Gara: from n/a through <= 7.7. | 2025-12-18 | not yet calculated | CVE-2025-64260 | https://vdp.patchstack.com/database/Wordpress/Plugin/avcp/vulnerability/wordpress-anac-xml-bandi-di-gara-plugin-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magepeopleteam–Booking and Rental Manager | Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.4. | 2025-12-18 | not yet calculated | CVE-2025-64266 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-4-php-object-injection-vulnerability?_s_id=cve |
| Arraytics–Timetics | Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.44. | 2025-12-18 | not yet calculated | CVE-2025-64268 | https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-44-broken-access-control-vulnerability?_s_id=cve |
| masteriyo–Masteriyo – LMS | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo – LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo – LMS: from n/a through <= 2.0.3. | 2025-12-18 | not yet calculated | CVE-2025-64270 | https://vdp.patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-2-0-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| GetResponse–Email marketing for WordPress by GetResponse Official | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Retrieve Embedded Sensitive Data.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3. | 2025-12-18 | not yet calculated | CVE-2025-64272 | https://vdp.patchstack.com/database/Wordpress/Plugin/getresponse-official/vulnerability/wordpress-email-marketing-for-wordpress-by-getresponse-official-plugin-1-5-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| GetResponse–Email marketing for WordPress by GetResponse Official | Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3. | 2025-12-18 | not yet calculated | CVE-2025-64273 | https://vdp.patchstack.com/database/Wordpress/Plugin/getresponse-official/vulnerability/wordpress-email-marketing-for-wordpress-by-getresponse-official-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi–All In One SEO Pack | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64295 | https://vdp.patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-8-6-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| MacWarrior–clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 – #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket’s Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator’s browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 – #157. | 2025-12-15 | not yet calculated | CVE-2025-64338 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-93rh-fxxx-j38j https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc |
| shinetheme–Traveler | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64371 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-sql-injection-vulnerability?_s_id=cve |
| shinetheme–Traveler | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64372 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| shinetheme–Traveler | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in shinetheme Traveler traveler allows PHP Local File Inclusion.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64373 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| StylemixThemes–Motors | Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through <= 5.6.81. | 2025-12-18 | not yet calculated | CVE-2025-64374 | https://vdp.patchstack.com/database/Wordpress/Theme/motors/vulnerability/wordpress-motors-theme-5-6-80-arbitrary-file-upload-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif–WP Social Ninja | Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through <= 3.20.1. | 2025-12-18 | not yet calculated | CVE-2025-64375 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-social-reviews/vulnerability/wordpress-wp-social-ninja-plugin-3-20-1-broken-access-control-vulnerability?_s_id=cve |
| CridioStudio–ListingPro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CridioStudio ListingPro listingpro allows Reflected XSS.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64376 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio–ListingPro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in CridioStudio ListingPro listingpro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64377 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-local-file-inclusion-vulnerability?_s_id=cve |
| CridioStudio–ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64378 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-broken-access-control-vulnerability?_s_id=cve |
| Strategy11 Team–Business Directory | Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.19. | 2025-12-16 | not yet calculated | CVE-2025-64630 | https://vdp.patchstack.com/database/Wordpress/Plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-19-broken-access-control-vulnerability?_s_id=cve |
| WC Lovers–WCFM Marketplace | Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.6.15. | 2025-12-16 | not yet calculated | CVE-2025-64631 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-6-15-broken-access-control-vulnerability?_s_id=cve |
| Auctollo–Google XML Sitemaps | Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.21. | 2025-12-16 | not yet calculated | CVE-2025-64632 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability?_s_id=cve |
| colabrio–Norebro Extra | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8. | 2025-12-16 | not yet calculated | CVE-2025-64633 | https://vdp.patchstack.com/database/Wordpress/Plugin/norebro-extra/vulnerability/wordpress-norebro-extra-plugin-1-6-8-content-injection-vulnerability?_s_id=cve |
| ThemeFusion–Avada | Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.1. | 2025-12-16 | not yet calculated | CVE-2025-64634 | https://vdp.patchstack.com/database/Wordpress/Theme/avada/vulnerability/wordpress-avada-theme-7-13-1-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi–Feeds for YouTube | Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0. | 2025-12-16 | not yet calculated | CVE-2025-64635 | https://vdp.patchstack.com/database/Wordpress/Plugin/feeds-for-youtube/vulnerability/wordpress-feeds-for-youtube-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve |
| OnPay.io–OnPay.io for WooCommerce | Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47. | 2025-12-16 | not yet calculated | CVE-2025-64638 | https://vdp.patchstack.com/database/Wordpress/Plugin/onpay-io-for-woocommerce/vulnerability/wordpress-onpay-io-for-woocommerce-plugin-1-0-47-broken-access-control-vulnerability?_s_id=cve |
| WP Compress–WP Compress for MainWP | Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.07. | 2025-12-16 | not yet calculated | CVE-2025-64639 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/vulnerability/wordpress-wp-compress-for-mainwp-plugin-6-50-07-broken-access-control-vulnerability?_s_id=cve |
| GROWI, Inc.–GROWI | Cross-site request forgery vulnerability exists in GROWI v7.3.3 and earlier. If a user views a malicious page while logged in, the user may be tricked to do unintended operations. | 2025-12-17 | not yet calculated | CVE-2025-64700 | https://growi.co.jp/news/40/ https://jvn.jp/en/jp/JVN55745775/ |
| arduino–arduino-ide | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release. | 2025-12-18 | not yet calculated | CVE-2025-64723 | https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj https://github.com/arduino/arduino-ide/pull/2805/commits/2f7667136ee95ce07dde23c49d2de526b45e3293 https://github.com/arduino/arduino-ide/releases/tag/2.3.7 https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities |
| arduino–arduino-ide | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user’s privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release. | 2025-12-18 | not yet calculated | CVE-2025-64724 | https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6 https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98 https://github.com/arduino/arduino-ide/releases/tag/2.3.7 https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities |
| WeblateOrg–weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one’s Weblate sessions with an invitation opened unattended. | 2025-12-15 | not yet calculated | CVE-2025-64725 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj https://github.com/WeblateOrg/weblate/pull/16913 https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15 |
| Checkmk GmbH–Checkmk | Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure. | 2025-12-18 | not yet calculated | CVE-2025-64997 | https://checkmk.com/werk/18681 |
| Checkmk GmbH–Checkmk | SSH private keys of the “Remote alert handlers (Linux)” rule were exposed in the rule page’s HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed. | 2025-12-18 | not yet calculated | CVE-2025-65000 | https://checkmk.com/werk/19030 |
| WODESYS–WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65007 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS–WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65008 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS–WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65009 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS–WD-R608U | WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65010 | http://www.wodesys.com/eproductms52.html https://cert.pl/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS–WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65011 | http://www.wodesys.com/eproductms52.html https://cert.pl/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WaveStore–WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65074 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| WaveStore–WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65075 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| WaveStore–WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65076 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| OneAgent–OneAgent | An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a “STATUS_LOGON_FAILURE” error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks. | 2025-12-15 | not yet calculated | CVE-2025-65176 | https://hackerone.com/reports/3313408 https://docs.dynatrace.com/docs/shortlink/release-notes-oneagent-sprint-325#oneagent-sprint-325-ga https://docs.dynatrace.com/docs/whats-new/oneagent/sprint-325#oneagent-sprint-325-ga |
| Entrinisik–Entrinisik | There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses. | 2025-12-17 | not yet calculated | CVE-2025-65185 | http://entrinsik.com http://informer.com https://www.triaxiomsecurity.com/entrinsik-informer-username-enumeration-cve-2025-65185/ |
| KeePassXC–KeePassXc | KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | 2025-12-17 | not yet calculated | CVE-2025-65203 | https://github.com/keepassxreboot/keepassxc-browser/issues/2647 https://github.com/keepassxreboot/keepassxc-browser/pull/2648 |
| MooreThreads–MooreThreads | MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process. | 2025-12-15 | not yet calculated | CVE-2025-65213 | https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588 |
| SLiMS–SliMS | Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER[‘PHP_SELF’ ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim’s browser by supplying a crafted URL path. | 2025-12-17 | not yet calculated | CVE-2025-65233 | https://github.com/slims/slims9_bulian/issues/185 https://github.com/hbtw25/vulnerability-research/tree/main/CVE-2025-65233 |
| Canary Mail–Canary Mail | When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | 2025-12-16 | not yet calculated | CVE-2025-65318 | http://canary.com http://canarymail.com https://drive.google.com/file/d/14wrTzvcLPfFsWmy-SAtDwwZKKPssBsx5/view https://github.com/nickvourd/RTI-Toolkit https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319 |
| Blue Mail–Blue Mail | When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | 2025-12-16 | not yet calculated | CVE-2025-65319 | http://blue.com https://github.com/nickvourd/RTI-Toolkit https://github.com/rip1s/CVE-2017-11882 https://drive.google.com/file/d/1dVzXuHBk3B1DiFpwFYwj2NNjeKGnGSwT/view https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319 |
| Dbit–Dbit | An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations. | 2025-12-16 | not yet calculated | CVE-2025-65427 | http://shenzhen.com http://dbit.com https://github.com/kirubel-cve/CVE-2025-65427 |
| allauth-django –allauth-django | An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected. | 2025-12-15 | not yet calculated | CVE-2025-65430 | https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ |
| allauth-django–allauth-django | An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead. | 2025-12-15 | not yet calculated | CVE-2025-65431 | https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ |
| Open5GS–Open5GS | An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-65559 | https://github.com/open5gs/open5gs/issues/4135 |
| LocalNode.Sess–LocalNode.Sess | An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request. | 2025-12-18 | not yet calculated | CVE-2025-65561 | https://github.com/free5gc/free5gc/issues/730 https://github.com/free5gc/go-upf/pull/80 |
| Fre5GC–Free5GC | The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required. | 2025-12-18 | not yet calculated | CVE-2025-65562 | https://github.com/free5gc/free5gc/issues/731 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF’s N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65563 | https://github.com/omec-project/upf/issues/955 https://github.com/omec-project/upf/pull/963 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-upf (upf-epc-pfcpiface) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory Recovery Time Stamp Information Element, the association setup handler dereferences a nil pointer via IE.RecoveryTimeStamp() instead of validating the message. This results in a panic and terminates the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF’s N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65564 | https://github.com/omec-project/upf/issues/956 https://github.com/omec-project/upf/pull/964 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID (CPF-SEID) Information Element is not properly validated. The session establishment handler calls IE.FSEID() on a nil pointer, which triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF’s N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65565 | https://github.com/omec-project/upf/issues/957 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a nil pointer instead of rejecting the malformed message. This triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Report Response messages to the UPF’s N4/PFCP endpoint can exploit this flaw to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65566 | https://github.com/omec-project/upf/issues/958 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a specially crafted PFCP Session Establishment Request with a CreatePDR that contains a malformed Flow-Description is not robustly validated. The Flow-Description parser (parseFlowDesc) can read beyond the bounds of the provided buffer, causing a panic and terminating the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF’s N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF. | 2025-12-18 | not yet calculated | CVE-2025-65567 | https://github.com/omec-project/upf/issues/959 |
| omec-project–omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a PFCP Session Establishment Request that includes a CreateFAR with an empty or truncated IPv4 address field is not properly validated. During parsing, parseFAR() calls ip2int(), which performs an out-of-bounds read on the IPv4 address buffer and triggers an index-out-of-range panic. An attacker who can send PFCP Session Establishment Request messages to the UPF’s N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65568 | http://omec-projectupf.com http://upf-epc-pfcpiface.com https://github.com/omec-project/upf/issues/962 |
| Volosoft–Volosoft | An open redirect vulnerability exists in the Account module in Volosoft ABP Framework >= 5.1.0 and < 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains. | 2025-12-16 | not yet calculated | CVE-2025-65581 | https://github.com/abpframework/abp/commit/a01adc58464d278ca817c4bbb6cbce30f155d0d1 https://github.com/abpframework/abp/commit/44a2dc14e933f3ce1ca93f9313d836694ab77d1d |
| nopCommerce–nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | 2025-12-16 | not yet calculated | CVE-2025-65589 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/16 |
| nopCommerce–nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | 2025-12-16 | not yet calculated | CVE-2025-65590 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/17 |
| nopCommerce–nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | 2025-12-16 | not yet calculated | CVE-2025-65591 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/18 |
| nopCommerce–nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the “Product Name” and “Short Description” fields are stored in the backend database and executed automatically whenever a user views the affected pages. | 2025-12-16 | not yet calculated | CVE-2025-65592 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/19 |
| nopCommerce–nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality. | 2025-12-16 | not yet calculated | CVE-2025-65593 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/20 |
| OmniDocs–OmniDocs | An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request. | 2025-12-15 | not yet calculated | CVE-2025-65742 | https://newgensoft.com/ https://github.com/CBx216/CVE-2025-65742-Newgen-OmniDocs-LDAP-BFLA/blob/main/CVE-2025-65742.md |
| Wekan–Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application’s origin and enabling session/token theft and CSRF actions. | 2025-12-15 | not yet calculated | CVE-2025-65778 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8 https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan–release |
| Wekan–Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board’s “sort” value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards. | 2025-12-15 | not yet calculated | CVE-2025-65779 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan–release https://github.com/wekan/wekan/commit/ea310d7508b344512e5de0dfbc9bdfd38145c5c5 |
| Wekan–Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs. | 2025-12-15 | not yet calculated | CVE-2025-65780 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan–release https://github.com/wekan/wekan/commit/f26d58201855e861bab1cd1fda4d62c664efdb81 |
| Wekan–Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing. | 2025-12-15 | not yet calculated | CVE-2025-65781 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan–release https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c |
| Wekan–Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. | 2025-12-15 | not yet calculated | CVE-2025-65782 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan–release https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c |
| Meltytech–Melytech | Meltytech Shotcut 25.10.31 is vulnerable to Buffer Overflow. A memory access violation occurs when processing MLT project files with manipulated width and height parameters. By setting these values to extremely large numbers, the application attempts to allocate excessive memory during image processing, triggering a buffer overflow in the mlt_image_fill_white function. | 2025-12-16 | not yet calculated | CVE-2025-65834 | https://sourceforge.net/projects/shotcut/files/v25.10.31/shotcut-macos-25.10.31.dmg/download https://bytescan.net/CVE/cve-2025-65834.html |
| Cordova–Cordova | The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin. | 2025-12-15 | not yet calculated | CVE-2025-65835 | https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin https://www.npmjs.com/package/cordova-plugin-x-socialsharing https://medium.com/@lcrawfqrd/local-dos-via-exported-receivers-f6b1da10d3b7 |
| Netun–Netun | The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | 2025-12-17 | not yet calculated | CVE-2025-65855 | https://docs.espressif.com/projects/esp-idf/en/v4.3.2/ https://luismirandaacebedo.github.io/CVE-2025-65855/ |
| ThimPress–LearnPress | Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4. | 2025-12-18 | not yet calculated | CVE-2025-66054 | https://vdp.patchstack.com/database/Wordpress/Plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| InstaWP–InstaWP Connect | Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9. | 2025-12-18 | not yet calculated | CVE-2025-66068 | https://vdp.patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| Tomdever–wpForo Forum | Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10. | 2025-12-18 | not yet calculated | CVE-2025-66070 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-2-4-10-broken-access-control-vulnerability?_s_id=cve |
| Cozmoslabs–WP Webhooks | Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | 2025-12-18 | not yet calculated | CVE-2025-66074 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-arbitrary-file-upload-vulnerability?_s_id=cve |
| jetmonsters–Hotel Booking Lite | Improper Control of Generation of Code (‘Code Injection’) vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3. | 2025-12-18 | not yet calculated | CVE-2025-66078 | https://vdp.patchstack.com/database/Wordpress/Plugin/motopress-hotel-booking-lite/vulnerability/wordpress-hotel-booking-lite-plugin-5-2-3-remote-code-execution-rce-vulnerability?_s_id=cve |
| Property Hive–PropertyHive | Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | 2025-12-18 | not yet calculated | CVE-2025-66088 | https://vdp.patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-1-12-broken-access-control-vulnerability-2?_s_id=cve |
| Magnigenie–RestroPress | Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5. | 2025-12-18 | not yet calculated | CVE-2025-66100 | https://vdp.patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-3-5-broken-access-control-vulnerability?_s_id=cve |
| FolioVision–FV Antispam | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7. | 2025-12-18 | not yet calculated | CVE-2025-66102 | https://vdp.patchstack.com/database/Wordpress/Plugin/fv-antispam/vulnerability/wordpress-fv-antispam-plugin-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anton Vanyukov–Offload, AI & Optimize with Cloudflare Images | Missing Authorization vulnerability in Anton Vanyukov Offload, AI & Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI & Optimize with Cloudflare Images: from n/a through <= 1.9.5. | 2025-12-18 | not yet calculated | CVE-2025-66104 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf-images/vulnerability/wordpress-offload-ai-optimize-with-cloudflare-images-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve |
| UserElements–Ultimate Member Widgets for Elementor | Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3. | 2025-12-18 | not yet calculated | CVE-2025-66116 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-member-widgets-for-elementor/vulnerability/wordpress-ultimate-member-widgets-for-elementor-plugin-2-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Ays Pro–Easy Form | Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8. | 2025-12-18 | not yet calculated | CVE-2025-66117 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-form/vulnerability/wordpress-easy-form-plugin-2-7-8-broken-access-control-vulnerability?_s_id=cve |
| BoldGrid–Sprout Clients | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BoldGrid Sprout Clients sprout-clients allows Reflected XSS.This issue affects Sprout Clients: from n/a through <= 3.2.1. | 2025-12-18 | not yet calculated | CVE-2025-66118 | https://vdp.patchstack.com/database/Wordpress/Plugin/sprout-clients/vulnerability/wordpress-sprout-clients-plugin-3-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bob–Hostel | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9. | 2025-12-18 | not yet calculated | CVE-2025-66119 | https://vdp.patchstack.com/database/Wordpress/Plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CatFolders–CatFolders | Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3. | 2025-12-16 | not yet calculated | CVE-2025-66120 | https://vdp.patchstack.com/database/Wordpress/Plugin/catfolders/vulnerability/wordpress-catfolders-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| SiteGround–SiteGround Security | Missing Authorization vulnerability in SiteGround SiteGround Security sg-security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through <= 1.5.8. | 2025-12-16 | not yet calculated | CVE-2025-66121 | https://vdp.patchstack.com/database/Wordpress/Plugin/sg-security/vulnerability/wordpress-siteground-security-plugin-1-5-8-broken-access-control-vulnerability?_s_id=cve |
| Design–Stylish Price List | Missing Authorization vulnerability in Design Stylish Price List stylish-price-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stylish Price List: from n/a through <= 7.2.2. | 2025-12-16 | not yet calculated | CVE-2025-66122 | https://vdp.patchstack.com/database/Wordpress/Plugin/stylish-price-list/vulnerability/wordpress-stylish-price-list-plugin-7-2-2-broken-access-control-vulnerability?_s_id=cve |
| ZEEN101–Leaky Paywall | Missing Authorization vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leaky Paywall: from n/a through <= 4.22.5. | 2025-12-16 | not yet calculated | CVE-2025-66124 | https://vdp.patchstack.com/database/Wordpress/Plugin/leaky-paywall/vulnerability/wordpress-leaky-paywall-plugin-4-22-5-broken-access-control-vulnerability?_s_id=cve |
| Nitesh–Ultimate Auction | Insertion of Sensitive Information Into Sent Data vulnerability in Nitesh Ultimate Auction ultimate-auction allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | 2025-12-16 | not yet calculated | CVE-2025-66125 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-auction/vulnerability/wordpress-ultimate-auction-plugin-4-3-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| wowpress.host–Fix Media Library | Insertion of Sensitive Information Into Sent Data vulnerability in wowpress.host Fix Media Library wow-media-library-fix allows Retrieve Embedded Sensitive Data.This issue affects Fix Media Library: from n/a through <= 2.0. | 2025-12-16 | not yet calculated | CVE-2025-66126 | https://vdp.patchstack.com/database/Wordpress/Plugin/wow-media-library-fix/vulnerability/wordpress-fix-media-library-plugin-2-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| g5theme–Essential Real Estate | Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. | 2025-12-16 | not yet calculated | CVE-2025-66127 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-broken-access-control-vulnerability?_s_id=cve |
| Brevo–Sendinblue for WooCommerce | Missing Authorization vulnerability in Brevo Sendinblue for WooCommerce woocommerce-sendinblue-newsletter-subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendinblue for WooCommerce: from n/a through <= 4.0.49. | 2025-12-16 | not yet calculated | CVE-2025-66128 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-sendinblue-newsletter-subscription/vulnerability/wordpress-sendinblue-for-woocommerce-plugin-4-0-49-broken-access-control-vulnerability?_s_id=cve |
| wppochipp–Pochipp | Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through <= 1.18.0. | 2025-12-16 | not yet calculated | CVE-2025-66129 | https://vdp.patchstack.com/database/Wordpress/Plugin/pochipp/vulnerability/wordpress-pochipp-plugin-1-18-0-broken-access-control-vulnerability?_s_id=cve |
| etruel–WP Views Counter | Missing Authorization vulnerability in etruel WP Views Counter wpecounter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Views Counter: from n/a through <= 2.1.2. | 2025-12-16 | not yet calculated | CVE-2025-66130 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpecounter/vulnerability/wordpress-wp-views-counter-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve |
| yaadsarig–Yaad Sarig Payment Gateway For WC | Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10. | 2025-12-16 | not yet calculated | CVE-2025-66131 | https://vdp.patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability?_s_id=cve |
| FAPI Business s.r.o.–FAPI Member | Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.26. | 2025-12-16 | not yet calculated | CVE-2025-66132 | https://vdp.patchstack.com/database/Wordpress/Plugin/fapi-member/vulnerability/wordpress-fapi-member-plugin-2-2-26-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WP Legal Pages–WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.7. | 2025-12-16 | not yet calculated | CVE-2025-66133 | https://vdp.patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-7-broken-access-control-vulnerability?_s_id=cve |
| NinjaTeam–FileBird Pro | Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.4.9. | 2025-12-16 | not yet calculated | CVE-2025-66134 | https://vdp.patchstack.com/database/Wordpress/Plugin/filebird-pro/vulnerability/wordpress-filebird-pro-plugin-6-4-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Coder for Elementor | Missing Authorization vulnerability in merkulove Coder for Elementor coder-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coder for Elementor: from n/a through <= 1.0.13. | 2025-12-16 | not yet calculated | CVE-2025-66147 | https://vdp.patchstack.com/database/Wordpress/Plugin/coder-elementor/vulnerability/wordpress-coder-for-elementor-plugin-1-0-13-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Grider for Elementor | Missing Authorization vulnerability in merkulove Grider for Elementor grider-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grider for Elementor: from n/a through <= 1.0.8. | 2025-12-16 | not yet calculated | CVE-2025-66161 | https://vdp.patchstack.com/database/Wordpress/Plugin/grider-elementor/vulnerability/wordpress-grider-for-elementor-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Spoter for Elementor | Missing Authorization vulnerability in merkulove Spoter for Elementor spoter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spoter for Elementor: from n/a through <= 1.04. | 2025-12-16 | not yet calculated | CVE-2025-66162 | https://vdp.patchstack.com/database/Wordpress/Plugin/spoter-elementor/vulnerability/wordpress-spoter-for-elementor-plugin-1-04-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Masker for Elementor | Missing Authorization vulnerability in merkulove Masker for Elementor masker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Masker for Elementor: from n/a through <= 1.1.4. | 2025-12-16 | not yet calculated | CVE-2025-66163 | https://vdp.patchstack.com/database/Wordpress/Plugin/masker-elementor/vulnerability/wordpress-masker-for-elementor-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Laser | Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1. | 2025-12-16 | not yet calculated | CVE-2025-66164 | https://vdp.patchstack.com/database/Wordpress/Plugin/laser/vulnerability/wordpress-laser-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Lottier for WPBakery | Missing Authorization vulnerability in merkulove Lottier for WPBakery lottier-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for WPBakery: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-66165 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-wpbakery/vulnerability/wordpress-lottier-for-wpbakery-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Lottier for Elementor | Missing Authorization vulnerability in merkulove Lottier for Elementor lottier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for Elementor: from n/a through <= 1.0.9. | 2025-12-16 | not yet calculated | CVE-2025-66166 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-elementor/vulnerability/wordpress-lottier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Lottier | Missing Authorization vulnerability in merkulove Lottier lottier-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier: from n/a through <= 1.1.1. | 2025-12-16 | not yet calculated | CVE-2025-66167 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-gutenberg/vulnerability/wordpress-lottier-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| Inaba Denki Sangyo Co., Ltd.–CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. When the Video Download feature is in a specific communication state, the product’s resources may be consumed abnormally. | 2025-12-16 | not yet calculated | CVE-2025-66357 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| Apache Software Foundation–Apache Airflow | A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue. | 2025-12-15 | not yet calculated | CVE-2025-66388 | https://github.com/apache/airflow/pull/58772 https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g |
| misskey-dev–misskey | Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue. | 2025-12-15 | not yet calculated | CVE-2025-66402 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3 https://github.com/misskey-dev/misskey/commit/dc77d59f8712d3fe0b73cd4af2035133839cd57b |
| Frappe ERPNext–Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66434 | https://www.notion.so/SSTI-bug-1-239e6086eadc8096bfcfe90551a3a483?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-1 |
| Frappe ERPNext–Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Contract Template can inject arbitrary Jinja expressions into the contract_terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66435 | https://www.notion.so/SSTI-bug-2-239e6086eadc80878e8fcc7b6c26a584?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-2 |
| Frappe ERPNext–Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Terms and Conditions document can inject arbitrary Jinja expressions into the terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66436 | https://www.notion.so/SSTI-bug-3-239e6086eadc8020aeecdaf123e32f3d?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-3 |
| Frappe ERPNext–Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict=”address_name”, the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure. | 2025-12-15 | not yet calculated | CVE-2025-66437 | https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba874c674a5?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-4 |
| Frappe ERPNext–Frappe ERPNext | A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals. | 2025-12-15 | not yet calculated | CVE-2025-66438 | https://www.notion.so/SSTI-bug-5-239e6086eadc80a48f17c1257a604d2c?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-5 |
| Frappe ERPNext–Frappe ERPNext | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the from_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding. | 2025-12-15 | not yet calculated | CVE-2025-66439 | https://github.com/frappe/frappe/security https://iamanc.github.io/post/erpnext-sqli |
| Frappe ERPNext–Frappe ERPNext | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding. | 2025-12-15 | not yet calculated | CVE-2025-66440 | https://github.com/frappe/frappe/security https://iamanc.github.io/post/erpnext-sqli |
| misskey-dev–misskey | Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file. | 2025-12-15 | not yet calculated | CVE-2025-66482 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7 |
| Apache Software Foundation–Apache NiFi | Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation. | 2025-12-19 | not yet calculated | CVE-2025-66524 | https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7 |
| SEIKO EPSON CORPORATION–Web Config | Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config. Specially crafted data input by a logged-in user may execute arbitrary code. As for the details of the affected products and versions, see the information provided by the vendor under [References]. | 2025-12-16 | not yet calculated | CVE-2025-66635 | https://www.epson.jp/support/misc_t/251216_oshirase.htm https://epson.com/Support/wa00971 https://jvn.jp/en/jp/JVN51846148/ |
| RIOT-OS–RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-66646 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v8gx-q9m6-5xm9 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L420 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L490 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L534 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c#L150C1-L150C76 https://github.com/RIOT-OS/RIOT/releases/tag/2025.10 https://github.com/user-attachments/files/23903992/reproducer_1.zip |
| RIOT-OS–RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-66647 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-wh3v-q6vr-j79r https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L481 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544 https://github.com/RIOT-OS/RIOT/releases/tag/2025.10 |
| grav–Java | grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page. | 2025-12-15 | not yet calculated | CVE-2025-66843 | https://github.com/Yohane-Mashiro/grav_cve/issues/1 |
| grav–Java | In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered | 2025-12-15 | not yet calculated | CVE-2025-66844 | https://github.com/Yohane-Mashiro/grav_cve/issues/2 |
| tkFile–Take Web | The Takes web framework’s TkFiles take thru 2.0-SNAPSHOT fails to canonicalize HTTP request paths before resolving them against the filesystem. A remote attacker can include ../ sequences in the request path to escape the configured base directory and read arbitrary files from the host system. | 2025-12-19 | not yet calculated | CVE-2025-66905 | https://github.com/yegor256/takes https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66905_report.md |
| SNAPSHOT–SNAPSHOT | Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges. | 2025-12-19 | not yet calculated | CVE-2025-66906 | https://github.com/turms-im/turms https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66906_report.md |
| SNAPSHOT–SNAPSHOT | Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to “image/*” or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served. | 2025-12-19 | not yet calculated | CVE-2025-66908 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66908_report.md |
| SNAPSHOT–SNAPSHOT | Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV’s imread() function without validating dimensions or pixel count before decompression. An attacker can upload a specially crafted compressed image file (e.g., PNG) that is small when compressed but expands to gigabytes of memory when loaded. This causes immediate memory exhaustion, OutOfMemoryError, and service crash. No authentication is required if the OCR service is publicly accessible. Multiple requests can completely deny service availability. | 2025-12-19 | not yet calculated | CVE-2025-66909 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/ai/djl/opencv/ExtendedOpenCVImage.java#L37 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66909_report.md |
| SNAPSHOT–SNAPSHOT | Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection. | 2025-12-19 | not yet calculated | CVE-2025-66910 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34 https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md |
| SNAPSHOT–SNAPSHOT | Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks. | 2025-12-19 | not yet calculated | CVE-2025-66911 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md |
| Point of Sale–Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the “name” parameter. | 2025-12-17 | not yet calculated | CVE-2025-66921 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md |
| Point of Sale–Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter. | 2025-12-17 | not yet calculated | CVE-2025-66923 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66923/readme.md |
| Point of Sale–Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the “name” parameter. | 2025-12-17 | not yet calculated | CVE-2025-66924 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66924/readme.md |
| Power Contril–Uplink | CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?…, and /channel_setup.htm endpoints | 2025-12-17 | not yet calculated | CVE-2025-66953 | https://www.nardamiteq.com/ https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-66953%20_%20narda%20miteq%20Uplink%20Power%20Contril%20Unitl%20UPC2%20_%20CSRF |
| Hitron–Hitron | An issue in Hitron HI3120 v.7.2.4.5.2b1 allows a local attacker to obtain sensitive information via the Logout option in the index.html | 2025-12-15 | not yet calculated | CVE-2025-66963 | http://hitron.com https://github.com/kakarotossj3/CVEs/blob/main/Hitron/Insufficient%20Session%20Expiration/Details |
| Tenda–Tenda | A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending a post request with a crafted payload (field `serviceName`) to /goform/AdvSetMacMtuWan. | 2025-12-17 | not yet calculated | CVE-2025-67073 | https://github.com/johnathanhuutri/CVEReport/tree/master/CVE-2025-67073 |
| Tenda–Tenda | A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending a post request with a crafted payload (field `serverName`) to /goform/AdvSetMacMtuWan. | 2025-12-17 | not yet calculated | CVE-2025-67074 | https://github.com/johnathanhuutri/CVEReport/tree/master/CVE-2025-67074 |
| Simple Machines–Simple Machines | A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | 2025-12-18 | not yet calculated | CVE-2025-67163 | https://github.com/SimpleMachines/SMF/security/advisories/GHSA-p2xm-x9fp-5r7x https://github.com/SimpleMachines/SMF/blob/release-3.0/Themes/default/Stats.template.php#L26 https://github.com/SimpleMachines/SMF https://wiki.simplemachines.org/smf/Installing https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67163 |
| Pagekit CMS–Pagekit MS | An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2025-12-17 | not yet calculated | CVE-2025-67164 | https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67164 |
| Pagekit CMS–Pagekit MS | An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. | 2025-12-17 | not yet calculated | CVE-2025-67165 | https://github.com/pagekit/pagekit https://github.com/pagekit/docs/blob/develop/user-interface/users.md#roles https://github.com/pagekit/docs/blob/develop/user-interface/users.md#permissions https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165 |
| RiteCMS–RiteCMS | RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords. | 2025-12-17 | not yet calculated | CVE-2025-67168 | https://github.com/handylulu/RiteCMS https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.admin.inc.php https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67168 |
| RiteCMS–RiteCMS | A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user’s browser via a crafted payload. | 2025-12-17 | not yet calculated | CVE-2025-67170 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67170 |
| RiteCMS–RiteCMS | Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal. | 2025-12-17 | not yet calculated | CVE-2025-67171 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67171 |
| RiteCMS–RiteCMS | RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function. | 2025-12-17 | not yet calculated | CVE-2025-67172 | https://github.com/handylulu/RiteCMS/ https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.inc.php#L297 https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.inc.php#L504 https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67172 |
| RiteCMS–RiteCMS | A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request. | 2025-12-17 | not yet calculated | CVE-2025-67173 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67173 |
| RiteCMS–RiteCMS | A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in the admin.php component | 2025-12-17 | not yet calculated | CVE-2025-67174 | https://github.com/handylulu/RiteCMS https://github.com/handylulu/RiteCMS/blob/master/admin.php#L46 https://github.com/handylulu/RiteCMS/blob/master/cms/subtemplates/settings.inc.tpl#L64 https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67174 |
| QR-Code–QR-Code | A SQL injection vulnerability was found in the ‘/cts/admin/?page=zone’ file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter ‘id’ and use it directly in SQL queries without the need for appropriate cleaning or validation. | 2025-12-17 | not yet calculated | CVE-2025-67285 | https://github.com/bardminx/Lonlydance/issues/1 |
| EVE-NG–EVE-NG | EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users. | 2025-12-19 | not yet calculated | CVE-2025-67442 | https://github.com/XunMInt/cve/blob/main/EVE-NG_20251207.md |
| weDevs–WP ERP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6. | 2025-12-18 | not yet calculated | CVE-2025-67546 | https://vdp.patchstack.com/database/Wordpress/Plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-16-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| FreePBX–security-reporting | FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc. | 2025-12-16 | not yet calculated | CVE-2025-67722 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8 https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| FreePBX–security-reporting | The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with administrative access to the Administrator Control Panel (ACP) can leverage this SQL injection vulnerability to extract sensitive information from the database and execute code on the system as the `asterisk` user with chained elevation to `root` privileges. Users should upgrade to version 16.0.5 or 17.0.5 to receive a fix. | 2025-12-16 | not yet calculated | CVE-2025-67736 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-632c-49p9-x7cw https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| trailofbits–fickling | Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6. | 2025-12-16 | not yet calculated | CVE-2025-67747 | https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3 https://github.com/trailofbits/fickling/pull/186 https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913 https://github.com/trailofbits/fickling/releases/tag/v0.1.6 |
| trailofbits–fickling | Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues. | 2025-12-16 | not yet calculated | CVE-2025-67748 | https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2 https://github.com/trailofbits/fickling/pull/108 https://github.com/trailofbits/fickling/pull/187 |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on Windows computers. | 2025-12-17 | not yet calculated | CVE-2025-67781 | https://drivelock.help/en-us/Content/Home.htm |
| DriveLock–DriveLock | An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network. | 2025-12-17 | not yet calculated | CVE-2025-67787 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-002-CrossSiteScripting.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Authenticated users can retrieve the computer count of other DriveLock tenants via the DriveLock API. | 2025-12-17 | not yet calculated | CVE-2025-67789 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-004-DESInfoDisclosure.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers by using an IOCTL and an unterminated string. | 2025-12-17 | not yet calculated | CVE-2025-67790 | https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-005-BufferOverreadBSOD.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service). | 2025-12-17 | not yet calculated | CVE-2025-67791 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-006-DESMisconfig.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate a DriveLock process to execute arbitrary commands on Windows computers. | 2025-12-17 | not yet calculated | CVE-2025-67792 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-007-LocalPrivilegeEsc.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the “Manage roles and permissions” privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges. | 2025-12-17 | not yet calculated | CVE-2025-67793 | https://drivelock.help/sb/Content/SecurityBulletins/25-008-DESPrivilegeEsc.htm |
| DriveLock–DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 before 24.2.8, and 25.1 before 25.1.6. Directories and files created by the agent are created with overly permissive ACLs, allowing local users without administrator rights to trigger actions or destabilize the agent. | 2025-12-17 | not yet calculated | CVE-2025-67794 | https://drivelock.help/sb/Content/SecurityBulletins/25-009-AgIncPermissions.htm |
| Zimbra–Zimbra | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked. | 2025-12-15 | not yet calculated | CVE-2025-67809 | https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue. | 2025-12-16 | not yet calculated | CVE-2025-67874 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions (“Edit Records” and “Manage Properties and Classifications”) can inject a persistent Cross-Site Scripting (XSS) payload into an administrator’s profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator’s session, perform administrative actions, and achieve a full account takeover. This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user’s profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user’s record properties. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-67875 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available. | 2025-12-17 | not yet calculated | CVE-2025-67876 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-67877 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4 |
| Apache Software Foundation–Apache Airflow Providers Edge3 | Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 – and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected. | 2025-12-17 | not yet calculated | CVE-2025-67895 | https://github.com/apache/airflow/pull/59143 https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs |
| Gal Dubinski–Stars Testimonials | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4. | 2025-12-16 | not yet calculated | CVE-2025-67912 | https://vdp.patchstack.com/database/Wordpress/Plugin/stars-testimonials-with-slider-and-masonry-grid/vulnerability/wordpress-stars-testimonials-plugin-3-3-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| templateinvaders–TI WooCommerce Wishlist | Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0. | 2025-12-16 | not yet calculated | CVE-2025-67929 | https://vdp.patchstack.com/database/Wordpress/Plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-plugin-2-10-0-broken-access-control-vulnerability-2?_s_id=cve |
| SendPulse–SendPulse Email Marketing Newsletter | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in SendPulse SendPulse Email Marketing Newsletter sendpulse-email-marketing-newsletter allows Retrieve Embedded Sensitive Data.This issue affects SendPulse Email Marketing Newsletter: from n/a through <= 2.2.1. | 2025-12-16 | not yet calculated | CVE-2025-67948 | https://vdp.patchstack.com/database/Wordpress/Plugin/sendpulse-email-marketing-newsletter/vulnerability/wordpress-sendpulse-email-marketing-newsletter-plugin-2-2-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Syed Balkhi–All In One SEO Pack | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1. | 2025-12-16 | not yet calculated | CVE-2025-67950 | https://vdp.patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve |
| WPZOOM–WPZOOM Addons for Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10. | 2025-12-16 | not yet calculated | CVE-2025-67951 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AIOSEO Plugin Team–Broken Link Checker | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6. | 2025-12-16 | not yet calculated | CVE-2025-67962 | https://vdp.patchstack.com/database/Wordpress/Plugin/broken-link-checker-seo/vulnerability/wordpress-broken-link-checker-plugin-1-2-6-sql-injection-vulnerability?_s_id=cve |
| favethemes–Homey Core | Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3. | 2025-12-16 | not yet calculated | CVE-2025-67965 | https://vdp.patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve |
| Bob–Watu Quiz | Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5. | 2025-12-16 | not yet calculated | CVE-2025-67976 | https://vdp.patchstack.com/database/Wordpress/Plugin/watu/vulnerability/wordpress-watu-quiz-plugin-3-4-5-broken-access-control-vulnerability?_s_id=cve |
| osama.esh–WP Visitor Statistics (Real Time Traffic) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3. | 2025-12-16 | not yet calculated | CVE-2025-67983 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Barn2 Plugins–Document Library Lite | Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-67985 | https://vdp.patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Barn2 Plugins–Document Library Lite | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-67986 | https://vdp.patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LMPixels–Kerge | Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3. | 2025-12-16 | not yet calculated | CVE-2025-67989 | https://vdp.patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Stefano Lissa–Newsletter | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9. | 2025-12-16 | not yet calculated | CVE-2025-67999 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletter/vulnerability/wordpress-newsletter-plugin-9-0-9-sql-injection-vulnerability?_s_id=cve |
| LambertGroup–xPromoter | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4. | 2025-12-16 | not yet calculated | CVE-2025-68053 | https://vdp.patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve |
| LambertGroup–CountDown With Image or Video Background | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in LambertGroup CountDown With Image or Video Background countdown_with_background allows Blind SQL Injection.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. | 2025-12-16 | not yet calculated | CVE-2025-68054 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown_with_background/vulnerability/wordpress-countdown-with-image-or-video-background-plugin-1-5-sql-injection-vulnerability?_s_id=cve |
| Themefic–Hydra Booking | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2025-12-16 | not yet calculated | CVE-2025-68055 | https://vdp.patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve |
| LambertGroup–LBG Zoominoutslider | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5. | 2025-12-16 | not yet calculated | CVE-2025-68056 | https://vdp.patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-sql-injection-vulnerability?_s_id=cve |
| ThemeMove–EduMall | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7. | 2025-12-16 | not yet calculated | CVE-2025-68061 | https://vdp.patchstack.com/database/Wordpress/Theme/edumall/vulnerability/wordpress-edumall-theme-4-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove–MinimogWP | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6. | 2025-12-16 | not yet calculated | CVE-2025-68062 | https://vdp.patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-6-local-file-inclusion-vulnerability?_s_id=cve |
| LiquidThemes–Hub Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8. | 2025-12-16 | not yet calculated | CVE-2025-68065 | https://vdp.patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve |
| PenciDesign–Soledad | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0. | 2025-12-16 | not yet calculated | CVE-2025-68066 | https://vdp.patchstack.com/database/Wordpress/Theme/soledad/vulnerability/wordpress-soledad-theme-8-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| Select-Themes–Stockholm Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6. | 2025-12-16 | not yet calculated | CVE-2025-68067 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-local-file-inclusion-vulnerability?_s_id=cve |
| Select-Themes–Stockholm | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1. | 2025-12-16 | not yet calculated | CVE-2025-68068 | https://vdp.patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-local-file-inclusion-vulnerability?_s_id=cve |
| Vektor,Inc.–VK Google Job Posting Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21. | 2025-12-16 | not yet calculated | CVE-2025-68070 | https://vdp.patchstack.com/database/Wordpress/Plugin/vk-google-job-posting-manager/vulnerability/wordpress-vk-google-job-posting-manager-plugin-1-2-21-cross-site-scripting-xss-vulnerability?_s_id=cve |
| g5theme–Essential Real Estate | Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. | 2025-12-16 | not yet calculated | CVE-2025-68071 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Select-Themes–Stockholm Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6. | 2025-12-16 | not yet calculated | CVE-2025-68076 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Select-Themes–Stockholm | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Select-Themes Stockholm stockholm allows Stored XSS.This issue affects Stockholm: from n/a through <= 9.14.1. | 2025-12-16 | not yet calculated | CVE-2025-68077 | https://vdp.patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeNectar–Salient Portfolio | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2. | 2025-12-16 | not yet calculated | CVE-2025-68078 | https://vdp.patchstack.com/database/Wordpress/Theme/salient-portfolio/vulnerability/wordpress-salient-portfolio-theme-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeNectar–Salient Shortcodes | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4. | 2025-12-16 | not yet calculated | CVE-2025-68079 | https://vdp.patchstack.com/database/Wordpress/Plugin/salient-shortcodes/vulnerability/wordpress-salient-shortcodes-plugin-1-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Saad Iqbal–User Avatar – Reloaded | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Saad Iqbal User Avatar – Reloaded user-avatar-reloaded allows Stored XSS.This issue affects User Avatar – Reloaded: from n/a through <= 1.2.2. | 2025-12-16 | not yet calculated | CVE-2025-68080 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-avatar-reloaded/vulnerability/wordpress-user-avatar-reloaded-plugin-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SEMrush CY LTD–Semrush Content Toolkit | Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32. | 2025-12-16 | not yet calculated | CVE-2025-68082 | https://vdp.patchstack.com/database/Wordpress/Plugin/semrush-contentshake/vulnerability/wordpress-semrush-content-toolkit-plugin-1-1-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Meks–Meks Quick Plugin Disabler | Cross-Site Request Forgery (CSRF) vulnerability in Meks Meks Quick Plugin Disabler meks-quick-plugin-disabler allows Cross Site Request Forgery.This issue affects Meks Quick Plugin Disabler: from n/a through <= 1.0. | 2025-12-16 | not yet calculated | CVE-2025-68083 | https://vdp.patchstack.com/database/Wordpress/Plugin/meks-quick-plugin-disabler/vulnerability/wordpress-meks-quick-plugin-disabler-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nitesh–Ultimate Auction | Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | 2025-12-16 | not yet calculated | CVE-2025-68084 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-auction/vulnerability/wordpress-ultimate-auction-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Buttoner for Elementor | Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68085 | https://vdp.patchstack.com/database/Wordpress/Plugin/buttoner-elementor/vulnerability/wordpress-buttoner-for-elementor-plugin-1-0-6-settings-change-vulnerability?_s_id=cve |
| merkulove–Reformer for Elementor | Missing Authorization vulnerability in merkulove Reformer for Elementor reformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reformer for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68086 | https://vdp.patchstack.com/database/Wordpress/Plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Modalier for Elementor | Missing Authorization vulnerability in merkulove Modalier for Elementor modalier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modalier for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68087 | https://vdp.patchstack.com/database/Wordpress/Plugin/modalier-elementor/vulnerability/wordpress-modalier-for-elementor-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Huger for Elementor | Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5. | 2025-12-16 | not yet calculated | CVE-2025-68088 | https://vdp.patchstack.com/database/Wordpress/Plugin/huger-elementor/vulnerability/wordpress-huger-for-elementor-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| parse-community–parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server’s password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | 2025-12-16 | not yet calculated | CVE-2025-68115 | https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv https://github.com/parse-community/parse-server/pull/9985 https://github.com/parse-community/parse-server/pull/9986 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue. | 2025-12-17 | not yet calculated | CVE-2025-68118 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h78c-5cjx-jw6x https://github.com/FreeRDP/FreeRDP/commit/a0b21f992a9de1de2468fc9e600aa2b7a4066307 |
| trpc–trpc | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`’s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue. | 2025-12-16 | not yet calculated | CVE-2025-68130 | https://github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j |
| facelessuser–pymdown-extensions | PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they’re able to upgrade. | 2025-12-16 | not yet calculated | CVE-2025-68142 | https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8 https://pypi.org/project/pymdown-extensions/10.16.1 |
| modelcontextprotocol–servers | Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue. | 2025-12-17 | not yet calculated | CVE-2025-68143 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6 |
| modelcontextprotocol–servers | In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `–output=/path/to/file` for `git_diff`) would be interpreted as command-line options rather than git refs, enabling arbitrary file overwrites. The fix adds validation that rejects arguments starting with – and verifies the argument resolves to a valid git ref via rev_parse before execution. Users are advised to update to 2025.12.17 resolve this issue when it is released. | 2025-12-17 | not yet calculated | CVE-2025-68144 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59 |
| modelcontextprotocol–servers | In mcp-server-git versions prior to 2025.12.17, when the server is started with the –repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue. | 2025-12-17 | not yet calculated | CVE-2025-68145 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5 |
| parse-community–parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available. | 2025-12-16 | not yet calculated | CVE-2025-68150 | https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf https://github.com/parse-community/parse-server/pull/9988 https://github.com/parse-community/parse-server/pull/9989 |
| Apache Software Foundation–Apache Log4j Core | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates. | 2025-12-18 | not yet calculated | CVE-2025-68161 | https://github.com/apache/logging-log4j2/pull/4002 https://logging.apache.org/security.html#CVE-2025-68161 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it. | 2025-12-16 | not yet calculated | CVE-2025-68167 | https://git.kernel.org/stable/c/70180a6031056096c93ed2f47c41803268bdd91c https://git.kernel.org/stable/c/3c91c8f424d3e44c8645ab765a38773e58afb07d https://git.kernel.org/stable/c/2f6115ad8864cf3f48598f26c74c7c8e5c391919 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a ‘non-static key’ lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit(). | 2025-12-16 | not yet calculated | CVE-2025-68168 | https://git.kernel.org/stable/c/d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64 https://git.kernel.org/stable/c/8cae9cf23e0bd424ac904e753639a587543ce03a https://git.kernel.org/stable/c/a2aa97cde9857f881920635a2e3d3b11769619c5 https://git.kernel.org/stable/c/d2dd7ca05a11685c314e62802a55e8d67a90e974 https://git.kernel.org/stable/c/2a9575a372182ca075070b3cd77490dcf0c951e7 https://git.kernel.org/stable/c/cbf2f527ae4ca7c7dabce42e85e8deb58588a37e https://git.kernel.org/stable/c/038861414ab383b41dd35abbf9ff0ef715592d53 https://git.kernel.org/stable/c/300b072df72694ea330c4c673c035253e07827b8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (“netpoll: Optimize skb refilling on critical path”) which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used. | 2025-12-16 | not yet calculated | CVE-2025-68169 | https://git.kernel.org/stable/c/06742a3ab884d7428c9050b205ffcf6a8a548397 https://git.kernel.org/stable/c/327c20c21d80e0d87834b392d83ae73c955ad8ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn’t be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free’d it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b) | 2025-12-16 | not yet calculated | CVE-2025-68170 | https://git.kernel.org/stable/c/f7482516002a11317912e29577bbf33cf59a0fb1 https://git.kernel.org/stable/c/2413bbd1d692aed245c2aa38a369a1fa7590db84 https://git.kernel.org/stable/c/3328443363a0895fd9c096edfe8ecd372ca9145e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: <TASK> fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU’s current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ] | 2025-12-16 | not yet calculated | CVE-2025-68171 | https://git.kernel.org/stable/c/eefbfb722042fc9210d2e0ac2b063fd1abf51895 https://git.kernel.org/stable/c/1811c610653c0cd21cc9add14595b7cffaeca511 https://git.kernel.org/stable/c/5b2619b488f1d08b960c43c6468dd0759e8b3035 https://git.kernel.org/stable/c/3f735419c4b43cde42e6d408db39137b82474e31 https://git.kernel.org/stable/c/388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed – fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()’s error path and aspeed_acry_remove(). | 2025-12-16 | not yet calculated | CVE-2025-68172 | https://git.kernel.org/stable/c/0dd6474ced33489076e6c0f3fe5077bf12e85b28 https://git.kernel.org/stable/c/29d0504077044a7e1ffbd09a6118018d5954a6e5 https://git.kernel.org/stable/c/e8407dfd267018f4647ffb061a9bd4a6d7ebacc6 https://git.kernel.org/stable/c/3c9bf72cc1ced1297b235f9422d62b613a3fdae9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (“ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels”) and commit 42ea22e754ba (“ftrace: Add cond_resched() to ftrace_graph_set_hash()”). Fix it the same way by adding cond_resched() in ftrace_module_enable. | 2025-12-16 | not yet calculated | CVE-2025-68173 | https://git.kernel.org/stable/c/a1dd0abd741a8111260676da729825d6c1461a71 https://git.kernel.org/stable/c/e81e6d6d99b16dae11adbeda5c996317942a940c https://git.kernel.org/stable/c/40c8ee40e48a2c82c762539952ed8fc0571db5bf https://git.kernel.org/stable/c/7e3c96010ade29bb340a5bdce8675f50c7f59001 https://git.kernel.org/stable/c/4099b98203d6b33d990586542fa5beee408032a3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 <f7> be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo —truncated— | 2025-12-16 | not yet calculated | CVE-2025-68174 | https://git.kernel.org/stable/c/536d80f660ec12058e461f4db387ea42bee9250d https://git.kernel.org/stable/c/45da20e00d5da842e17dfc633072b127504f0d0e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple “v4l2-ctl -l”) may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: gst-launch-1.0 -v v4l2src device=/dev/videoX ! video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! fakesink While this stream is running, querying the caps of the same device provokes the error state: v4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ————[ cut here ]———— [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] —[ end trace 0000000000000000 ]— Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release(). | 2025-12-16 | not yet calculated | CVE-2025-68175 | https://git.kernel.org/stable/c/029914306b93b37c6e7060793d2b6f76b935cfa6 https://git.kernel.org/stable/c/47773031a148ad7973b809cc7723cba77eda2b42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn’t set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description] | 2025-12-16 | not yet calculated | CVE-2025-68176 | https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1 https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5 https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866 https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3 https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962 | 2025-12-16 | not yet calculated | CVE-2025-68177 | https://git.kernel.org/stable/c/b02352dd2e6cca98777714cc2a27553191df70db https://git.kernel.org/stable/c/956b56d17a89775e4957bbddefa45cd3c6c71000 https://git.kernel.org/stable/c/55cf586b9556863e3c2a45460aba71bcb2be5bcd https://git.kernel.org/stable/c/fd93e1d71b3b14443092919be12b1abf08de35eb https://git.kernel.org/stable/c/8d6791c480f22d6e9a566eaa77336d3d37c5c591 https://git.kernel.org/stable/c/64adabb6d9d51b7e7c02fe733346a2c4dd738488 https://git.kernel.org/stable/c/809cf2a7794ca4c14c304b349f4c3ae220701ce4 https://git.kernel.org/stable/c/592532a77b736b5153e0c2e4c74aa50af0a352ab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted —————————————————— check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock –> &q->rq_qos_mutex –> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 —- —- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO. | 2025-12-16 | not yet calculated | CVE-2025-68178 | https://git.kernel.org/stable/c/e1729523759cda2c0afb76b1c88e0d2f2ef5b7cb https://git.kernel.org/stable/c/56ac639d6fa6fbb99caee74ee1c7276fc9bb47ed https://git.kernel.org/stable/c/0585b24d71197dd9ee8cf79c168a31628c631960 https://git.kernel.org/stable/c/5d726c4dbeeddef612e6bed27edd29733f4d13af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it. | 2025-12-16 | not yet calculated | CVE-2025-68179 | https://git.kernel.org/stable/c/7088465f10816d9425b95740b37c95f082041d76 https://git.kernel.org/stable/c/5e23918e4352288323d13fb511116cdea0234b71 https://git.kernel.org/stable/c/d4a8238e5729505b7394ccb007e5dc3e557aa66b https://git.kernel.org/stable/c/64e2f60f355e556337fcffe80b9bcff1b22c9c42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 </TASK> Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 —[ end trace 0000000000000000 ]— RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> —truncated— | 2025-12-16 | not yet calculated | CVE-2025-68180 | https://git.kernel.org/stable/c/d990c7f180aa7c6ffd2c1b3c77160e50672039ce https://git.kernel.org/stable/c/c05fe5d47baac212a3a74b279239f495be101629 https://git.kernel.org/stable/c/6dd97ceb645c08aca9fc871a3006e47fe699f0ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()’ing to trigger it to be free’d should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ————[ cut here ]———— [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4) | 2025-12-16 | not yet calculated | CVE-2025-68181 | https://git.kernel.org/stable/c/2fa41445d8c98f2a65503c373796466496edc0e7 https://git.kernel.org/stable/c/ec18f6b2c743cc471b2539ddb5caed20a012e640 https://git.kernel.org/stable/c/745bae76acdd71709773c129a69deca01036250b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees “link” by calling kfree_rcu(link, rcu_head) and then it dereferences “link” to get the “link->fw_id”. Save the “link->fw_id” first to avoid a potential use after free. | 2025-12-16 | not yet calculated | CVE-2025-68182 | https://git.kernel.org/stable/c/5b4a239c9f94e1606435f1842fc6fd426d607dbb https://git.kernel.org/stable/c/77e67d5daaf155f7d0f99f4e797c4842169ec19e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ima: don’t clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with “ima_appraise=fix evm=fix ima_policy=appraise_tcb” and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m – -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404… This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here’s a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = “/usr/sbin/test_binary”; const char* hex_string = “030204d33204490066306402304”; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(“Error opening file”); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, “%2hhx”, &ima_attr_value[j]); } if (fsetxattr(fd, “security.ima”, ima_attr_value, length/2, 0) == -1) { perror(“Error setting extended attribute”); close(fd); return 1; } const char* selinux_value= “system_u:object_r:bin_t:s0”; if (fsetxattr(fd, “security.selinux”, selinux_value, strlen(selinux_value), 0) == -1) { perror(“Error setting extended attribute”); close(fd); return 1; } close(fd); return 0; } | 2025-12-16 | not yet calculated | CVE-2025-68183 | https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407 https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023 https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (“drm/mediatek: Add AFBC support to Mediatek DRM driver”) added AFBC support to Mediatek DRM and enabled the 32×8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: “` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c […] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 —[ end trace 0000000000000000 ]— “` Until this gets fixed upstream, disable AFBC support on this platform, as it’s currently broken with upstream Mesa. | 2025-12-16 | not yet calculated | CVE-2025-68184 | https://git.kernel.org/stable/c/df1ad5de2197ea1b527d13ae7b699e9ee7d724d4 https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17 https://git.kernel.org/stable/c/72223700b620885d556a4c52a63f5294316176c6 https://git.kernel.org/stable/c/9882a40640036d5bbc590426a78981526d4f2345 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it’s an oopsable race, but I don’t believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won’t be easy to attack. Anyway, it’s easy to deal with – since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that. | 2025-12-16 | not yet calculated | CVE-2025-68185 | https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677 https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1 https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79 https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1 https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn’t checked for. If the reader catches up to the writer and there’s still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there’s no new page to get. In this situation, the reader page should not be updated and no warning should trigger. | 2025-12-16 | not yet calculated | CVE-2025-68186 | https://git.kernel.org/stable/c/b42dbef4f208326271434d5ab71c4129a3ddd1a9 https://git.kernel.org/stable/c/6f5c4f8109fa4d0955b3712597a26b310bdc736f https://git.kernel.org/stable/c/aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust. | 2025-12-16 | not yet calculated | CVE-2025-68187 | https://git.kernel.org/stable/c/dc8ed3823473bb38ba43cfb34f1e1c1baa22f975 https://git.kernel.org/stable/c/b2b526c2cf57d14ee269e012ed179081871f45a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags. | 2025-12-16 | not yet calculated | CVE-2025-68188 | https://git.kernel.org/stable/c/bc2b881a0896c111c1041d8bb1f92a3b3873ace5 https://git.kernel.org/stable/c/06da08d9355bf8e2070459bbedbe372ccc02cc0e https://git.kernel.org/stable/c/b62a59c18b692f892dcb8109c1c2e653b2abc95c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ————[ cut here ]———— WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c —[ end trace 0000000000000000 ]— ————[ cut here ]———— Patchwork: https://patchwork.freedesktop.org/patch/676273/ | 2025-12-16 | not yet calculated | CVE-2025-68189 | https://git.kernel.org/stable/c/9674c4cb2fe62727a2e4d3f66065ab949dfa61be https://git.kernel.org/stable/c/c34e08ba6c0037a72a7433741225b020c989e4ae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference. | 2025-12-16 | not yet calculated | CVE-2025-68190 | https://git.kernel.org/stable/c/35f3fb86bb0158a298d6834e7e110dcaf07f490c https://git.kernel.org/stable/c/997e28d3d00a1d30649629515e4402612921205b https://git.kernel.org/stable/c/cc9a8e238e42c1f43b98c097995137d644b69245 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly. | 2025-12-16 | not yet calculated | CVE-2025-68191 | https://git.kernel.org/stable/c/087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0 https://git.kernel.org/stable/c/45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4 https://git.kernel.org/stable/c/7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba https://git.kernel.org/stable/c/c018a87942bf1607aeebf8dba5a210ca9a09a0fd https://git.kernel.org/stable/c/51b3033088f0420b19027e3d54cd989b6ebd987e https://git.kernel.org/stable/c/3c3b148bf8384c8a787753cf20abde1c5731f97f https://git.kernel.org/stable/c/dc2f650f7e6857bf384069c1a56b2937a1ee370d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0 | 2025-12-16 | not yet calculated | CVE-2025-68192 | https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9 https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223 https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71 https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42 https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3 https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69 https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario. | 2025-12-16 | not yet calculated | CVE-2025-68193 | https://git.kernel.org/stable/c/52faa05fcd9f78af99abebe30a4b7b444744c991 https://git.kernel.org/stable/c/ee4b32220a6b41e71512e8804585325e685456ba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it’s okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don’t bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There’s nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I’m not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (“[media] imon: don’t wedge hardware after early callbacks”). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (“[media] imon: don’t parse scancodes until intf configured”) to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds. | 2025-12-16 | not yet calculated | CVE-2025-68194 | https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63 https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208 https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5 https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access. | 2025-12-16 | not yet calculated | CVE-2025-68195 | https://git.kernel.org/stable/c/4c6b56a76478bd1ab609827c571905386c11d308 https://git.kernel.org/stable/c/f1fdffe0afea02ba783acfe815b6a60e7180df40 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state. | 2025-12-16 | not yet calculated | CVE-2025-68196 | https://git.kernel.org/stable/c/9ecd238e8230e83a5c5436fd2261da4518f5c979 https://git.kernel.org/stable/c/f5b69101f956f5b89605a13cb15f093a7906f2a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding. | 2025-12-16 | not yet calculated | CVE-2025-68197 | https://git.kernel.org/stable/c/689ae5ba31293eebb7f21c0ef8939468ac72b5ce https://git.kernel.org/stable/c/ff02be05f78399c766be68ab0b2285ff90b2aaa8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip…> Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip…> This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory. | 2025-12-16 | not yet calculated | CVE-2025-68198 | https://git.kernel.org/stable/c/f01f9c348d76d40bf104a94449e3ce4057fdefee https://git.kernel.org/stable/c/f89c5e7077f63e45e8ba5a77b7cf0803130367e6 https://git.kernel.org/stable/c/a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618 https://git.kernel.org/stable/c/00fbff75c5acb4755f06f08bd1071879c63940c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it’s already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ————[ cut here ]———— [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops – BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G W 6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130] __free_slab+0x228/0x250 (P) [21630.922669] free_slab+0x38/0x118 [21630.923079] free_to_partial_list+0x1d4/0x340 [21630.923591] __slab_free+0x24c/0x348 [21630.924024] ___cache_free+0xf0/0x110 [21630.924468] qlist_free_all+0x78/0x130 [21630.924922] kasan_quarantine_reduce+0x11 —truncated— | 2025-12-16 | not yet calculated | CVE-2025-68199 | https://git.kernel.org/stable/c/fc6acd4cddf76e7eb7db63649fe36980ce208f56 https://git.kernel.org/stable/c/3f56c407feb967e6faeb4e2e04eaa8edc206a686 https://git.kernel.org/stable/c/1abbdf3d57aa964e572940d67c9ec5dc87710738 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (“net/sched: Extend qdisc control block with tc control block”), which added a wrong interaction with db58ba459202 (“bpf: wire in data and data_end for cls_act_bpf”). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end. | 2025-12-16 | not yet calculated | CVE-2025-68200 | https://git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20 https://git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91 https://git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11 https://git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457d https://git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006 https://git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace. | 2025-12-16 | not yet calculated | CVE-2025-68201 | https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?…}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(&rq->__lock); <Interrupt> lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state(). | 2025-12-16 | not yet calculated | CVE-2025-68202 | https://git.kernel.org/stable/c/13d1c96d3a9f208bc1aa8642f6362dca25a157d2 https://git.kernel.org/stable/c/b6109750063d3b9aca1c57031213ac5485a06c54 https://git.kernel.org/stable/c/5f02151c411dda46efcc5dc57b0845efcdcfc26d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process Fix a potential deadlock caused by inconsistent spinlock usage between interrupt and process contexts in the userq fence driver. The issue occurs when amdgpu_userq_fence_driver_process() is called from both: – Interrupt context: gfx_v11_0_eop_irq() -> amdgpu_userq_fence_driver_process() – Process context: amdgpu_eviction_fence_suspend_worker() -> amdgpu_userq_fence_driver_force_completion() -> amdgpu_userq_fence_driver_process() In interrupt context, the spinlock was acquired without disabling interrupts, leaving it in {IN-HARDIRQ-W} state. When the same lock is acquired in process context, the kernel detects inconsistent locking since the process context acquisition would enable interrupts while holding a lock previously acquired in interrupt context. Kernel log shows: [ 4039.310790] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. [ 4039.310804] kworker/7:2/409 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 4039.310818] ffff9284e1bed000 (&fence_drv->fence_list_lock){?…}-{3:3}, [ 4039.310993] {IN-HARDIRQ-W} state was registered at: [ 4039.311004] lock_acquire+0xc6/0x300 [ 4039.311018] _raw_spin_lock+0x39/0x80 [ 4039.311031] amdgpu_userq_fence_driver_process.part.0+0x30/0x180 [amdgpu] [ 4039.311146] amdgpu_userq_fence_driver_process+0x17/0x30 [amdgpu] [ 4039.311257] gfx_v11_0_eop_irq+0x132/0x170 [amdgpu] Fix by using spin_lock_irqsave()/spin_unlock_irqrestore() to properly manage interrupt state regardless of calling context. (cherry picked from commit ded3ad780cf97a04927773c4600823b84f7f3cc2) | 2025-12-16 | not yet calculated | CVE-2025-68203 | https://git.kernel.org/stable/c/1ad70a06d7e91c378b346a3718c81abb50a74b74 https://git.kernel.org/stable/c/6623c5f9fd877868fba133b4ae4dab0052e82dad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 | 2025-12-16 | not yet calculated | CVE-2025-68204 | https://git.kernel.org/stable/c/18249a167ffd91b4b4fbd92afd4ddcbf3af81f35 https://git.kernel.org/stable/c/c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a https://git.kernel.org/stable/c/582f48d22eb5676fe7be3589b986ddd29f7bf4d1 https://git.kernel.org/stable/c/7f569197f7ad09319af960bd7e43109de5c67c04 https://git.kernel.org/stable/c/ad120c08b89a81d41d091490bbe150343473b659 https://git.kernel.org/stable/c/921b090841ae7a08b19ab14495bdf8636dc31e21 https://git.kernel.org/stable/c/983e91da82ec3e331600108f9be3ea61236f5c75 https://git.kernel.org/stable/c/7458f72cc28f9eb0de811effcb5376d0ec19094a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn’t complain it, either. This resulted in a NULL dereference because the PCM instance hasn’t been initialized at calling the build_controls callback. Fix it by passing the proper entries. | 2025-12-16 | not yet calculated | CVE-2025-68205 | https://git.kernel.org/stable/c/d2aed6fac1148528181affb781aa683d6569042b https://git.kernel.org/stable/c/82420bd4e17bdaba8453fbf9e10c58c9ed0c9727 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type “ftp” protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set “ftp_helper” } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +——————-+ +———————————-+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +——————-+ +———————————-+ | +———————–+ | Client: 192.168.100.2 | +———————–+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding. | 2025-12-16 | not yet calculated | CVE-2025-68206 | https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263) | 2025-12-16 | not yet calculated | CVE-2025-68207 | https://git.kernel.org/stable/c/35959ab7d16b618616edf6df882a4533d2efe193 https://git.kernel.org/stable/c/ce6ccf8e881a919bf902174ac879f80c97669498 https://git.kernel.org/stable/c/95af8f4fdce8349a5fe75264007f1af2aa1082ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, …); queued_st = push_stack(…); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second ‘foo’ call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds. | 2025-12-16 | not yet calculated | CVE-2025-68208 | https://git.kernel.org/stable/c/64b12dca2b0abcb5fc0542887d18b926ea5cf711 https://git.kernel.org/stable/c/9944c7938cd5b3f37b0afec0481c7c015e4f1c58 https://git.kernel.org/stable/c/57e04e2ff56e32f923154f0f7bc476fcb596ffe7 https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f73877f71968dbffd27b7785 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ’s arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs. | 2025-12-16 | not yet calculated | CVE-2025-68209 | https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4 https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images. | 2025-12-16 | not yet calculated | CVE-2025-68210 | https://git.kernel.org/stable/c/4d0e0bb1908acac5b27d30b45c450e8ead97eb00 https://git.kernel.org/stable/c/1f86d73a0afe43b6a85d2aa8207853350b7e2111 https://git.kernel.org/stable/c/f2a12cc3b97f062186568a7b94ddb7aa2ef68140 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include <unistd.h> #include <stdio.h> #include <sys/mman.h> /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(“mmap() failedn”); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu. | 2025-12-16 | not yet calculated | CVE-2025-68211 | https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3 https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized ‘offp’ in statmount_string() In statmount_string(), most flags assign an output offset pointer (offp) which is later updated with the string offset. However, the STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the struct fields instead of using offp. This leaves offp uninitialized, leading to a possible uninitialized dereference when *offp is updated. Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code path consistent. | 2025-12-16 | not yet calculated | CVE-2025-68212 | https://git.kernel.org/stable/c/acfde9400e611c8d2668f1c70053c4a1d6ecfc36 https://git.kernel.org/stable/c/0778ac7df5137d5041783fadfc201f8fd55a1d9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix possible vport_config NULL pointer deref in remove Attempting to remove the driver will cause a crash in cases where the vport failed to initialize. Following trace is from an instance where the driver failed during an attempt to create a VF: [ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated [ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms) [ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028 … [ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf] … [ 1723.364973] Call Trace: [ 1723.365475] <TASK> [ 1723.365972] pci_device_remove+0x42/0xb0 [ 1723.366481] device_release_driver_internal+0x1a9/0x210 [ 1723.366987] pci_stop_bus_device+0x6d/0x90 [ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20 [ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120 [ 1723.368309] sriov_disable+0x34/0xe0 [ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf] [ 1723.368982] sriov_numvfs_store+0xda/0x1c0 Avoid the NULL pointer dereference by adding NULL pointer check for vport_config[i], before freeing user_config.q_coalesce. | 2025-12-16 | not yet calculated | CVE-2025-68213 | https://git.kernel.org/stable/c/a0e1c9bc1c9fe735978150ad075616a728073bc7 https://git.kernel.org/stable/c/d5be8663cff0ba7b94da34ebd499ce1123b4c334 https://git.kernel.org/stable/c/118082368c2b6ddefe6cb607efc312285148f044 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() … timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() … // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit … lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. | 2025-12-16 | not yet calculated | CVE-2025-68214 | https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914 https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585 https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix PTP cleanup on driver removal in error path Improve the cleanup on releasing PTP resources in error path. The error case might happen either at the driver probe and PTP feature initialization or on PTP restart (errors in reset handling, NVM update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf function) and ‘ps_lock’ mutex deinitialization were missed. Additionally, ptp clock was not unregistered in the latter case. Keep PTP state as ‘uninitialized’ on init to distinguish between error scenarios and to avoid resource release duplication at driver removal. The consequence of missing ice_ptp_cleanup_pf call is the following call trace dumped when ice_adapter object is freed (port list is not empty, as it is required at this stage): [ T93022] ————[ cut here ]———— [ T93022] WARNING: CPU: 10 PID: 93022 at ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice] … [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice] … [ T93022] Call Trace: [ T93022] <TASK> [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? __warn.cold+0xb0/0x10e [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? report_bug+0xd8/0x150 [ T93022] ? handle_bug+0xe9/0x110 [ T93022] ? exc_invalid_op+0x17/0x70 [ T93022] ? asm_exc_invalid_op+0x1a/0x20 [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] pci_device_remove+0x42/0xb0 [ T93022] device_release_driver_internal+0x19f/0x200 [ T93022] driver_detach+0x48/0x90 [ T93022] bus_remove_driver+0x70/0xf0 [ T93022] pci_unregister_driver+0x42/0xb0 [ T93022] ice_module_exit+0x10/0xdb0 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] … [ T93022] —[ end trace 0000000000000000 ]— [ T93022] ice: module unloaded | 2025-12-16 | not yet calculated | CVE-2025-68215 | https://git.kernel.org/stable/c/f5eb91f876ebecbcd90f9edcaea98dcb354603b3 https://git.kernel.org/stable/c/765236f2c4fbba7650436b71a0e350500e9ec15f https://git.kernel.org/stable/c/23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Disable trampoline for kernel module function trace The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems: * The `bpf_selftests/module_attach` test fails consistently. * Kernel lockup when a BPF program is attached to a module function [1]. * Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry [2]. Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to kernel module functions on LoongArch. This is a temporary mitigation until the core issues in the trampoline code for kernel module handling can be identified and fixed. [root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko… Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog ‘handle_fentry’: failed to attach: -ENOTSUPP libbpf: prog ‘handle_fentry’: failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko. [1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/ [2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/ | 2025-12-16 | not yet calculated | CVE-2025-68216 | https://git.kernel.org/stable/c/44eb3849378be5f72b8be03edbacbdcd6f5eade4 https://git.kernel.org/stable/c/677e6123e3d24adaa252697dc89740f2ac07664e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Input: pegasus-notetaker – fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. | 2025-12-16 | not yet calculated | CVE-2025-68217 | https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513 https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77 https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6 https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479 https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26 https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: fix lockdep WARN due to partition scan work Blktests test cases nvme/014, 057 and 058 fail occasionally due to a lockdep WARN. As reported in the Closes tag URL, the WARN indicates that a deadlock can happen due to the dependency among disk->open_mutex, kblockd workqueue completion and partition_scan_work completion. To avoid the lockdep WARN and the potential deadlock, cut the dependency by running the partition_scan_work not by kblockd workqueue but by nvme_wq. | 2025-12-16 | not yet calculated | CVE-2025-68218 | https://git.kernel.org/stable/c/89456dab7ba5ab63d60945440926673a3205e829 https://git.kernel.org/stable/c/e2a897ad5f538d314955c747a0a2edb184fcdecd https://git.kernel.org/stable/c/ef4ab2a8abe554379e10303ae86f7c501336ba0d https://git.kernel.org/stable/c/b03eb63288a8ffe3adfb34e68309c8e2edb06d0b https://git.kernel.org/stable/c/6d87cd5335784351280f82c47cc8a657271929c3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix memory leak in smb3_fs_context_parse_param error path Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source = smb3_fs_context_fullpath(ctx, ‘/’) allocates memory 2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a (“cifs: client: fix memory leak in smb3_fs_context_parse_param”), which only fixed leaks from repeated fsconfig() calls but not this error path. Patch updated with minor change suggested by kernel test robot | 2025-12-16 | not yet calculated | CVE-2025-68219 | https://git.kernel.org/stable/c/7627864dc3121f39e220f5253a227edf472de59e https://git.kernel.org/stable/c/48d69290270891f988e72edddd9688c20515421d https://git.kernel.org/stable/c/37010021d7e0341bb241ca00bcbae31f2c50b23f https://git.kernel.org/stable/c/7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Make knav_dma_open_channel consistently return NULL on error instead of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h returns NULL when the driver is disabled, but the driver implementation does not even return NULL or ERR_PTR on failure, causing inconsistency in the users. This results in a crash in netcp_free_navigator_resources as followed (trimmed): Unhandled fault: alignment exception (0x221) at 0xfffffff2 [fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000 Internal error: : 221 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE Hardware name: Keystone PC is at knav_dma_close_channel+0x30/0x19c LR is at netcp_free_navigator_resources+0x2c/0x28c [… TRIM…] Call trace: knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c netcp_ndo_open from __dev_open+0x114/0x29c __dev_open from __dev_change_flags+0x190/0x208 __dev_change_flags from netif_change_flags+0x1c/0x58 netif_change_flags from dev_change_flags+0x38/0xa0 dev_change_flags from ip_auto_config+0x2c4/0x11f0 ip_auto_config from do_one_initcall+0x58/0x200 do_one_initcall from kernel_init_freeable+0x1cc/0x238 kernel_init_freeable from kernel_init+0x1c/0x12c kernel_init from ret_from_fork+0x14/0x38 [… TRIM…] Standardize the error handling by making the function return NULL on all error conditions. The API is used in just the netcp_core.c so the impact is limited. Note, this change, in effect reverts commit 5b6cb43b4d62 (“net: ethernet: ti: netcp_core: return error while dma channel open issue”), but provides a less error prone implementation. | 2025-12-16 | not yet calculated | CVE-2025-68220 | https://git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3 https://git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353b https://git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259 https://git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5 https://git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373 https://git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2b https://git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9 https://git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Fix inverted WARN_ON_ONCE condition that prevented normal address removal counter updates. The current code only executes decrement logic when the counter is already 0 (abnormal state), while normal removals (counter > 0) are ignored. | 2025-12-16 | not yet calculated | CVE-2025-68221 | https://git.kernel.org/stable/c/f7d953c38245c0e9d8e268fb6a9e524602fb44ec https://git.kernel.org/stable/c/92e239e36d600002559074994a545fcfac9afd2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its fields are initialized. Notably, num_custom_params is used in pinconf_generic_parse_dt_config(), resulting in intermittent allocation errors, such as the following splat when probing i2c-imx: WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 […] Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) […] Call trace: __alloc_pages_noprof+0x290/0x300 (P) ___kmalloc_large_node+0x84/0x168 __kmalloc_large_node_noprof+0x34/0x120 __kmalloc_noprof+0x2ac/0x378 pinconf_generic_parse_dt_config+0x68/0x1a0 s32_dt_node_to_map+0x104/0x248 dt_to_map_one_config+0x154/0x1d8 pinctrl_dt_to_map+0x12c/0x280 create_pinctrl+0x6c/0x270 pinctrl_get+0xc0/0x170 devm_pinctrl_get+0x50/0xa0 pinctrl_bind_pins+0x60/0x2a0 really_probe+0x60/0x3a0 […] __platform_driver_register+0x2c/0x40 i2c_adap_imx_init+0x28/0xff8 [i2c_imx] […] This results in later parse failures that can cause issues in dependent drivers: s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property […] pca953x 0-0022: failed writing register: -6 i2c i2c-0: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property i2c i2c-1: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property i2c i2c-2: IMX I2C adapter registered Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of devm_kmalloc() in s32_pinctrl_probe(), which sets the previously uninitialized fields to zero. | 2025-12-16 | not yet calculated | CVE-2025-68222 | https://git.kernel.org/stable/c/3b90bd8aaeb21b513ecc4ed03299e80ece44a333 https://git.kernel.org/stable/c/583ac7f65791ceda38ea1a493a4859f7161dcb03 https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7165b7730b038cfe42102004 https://git.kernel.org/stable/c/97ea34defbb57bfaf71ce487b1b0865ffd186e81 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. This can cause a self deadlock when signaled() tries to make forward progress on the wait queue. But advancing the queue is unneeded because incorrectly returning false from signaled() is perfectly acceptable. (cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db) | 2025-12-16 | not yet calculated | CVE-2025-68223 | https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5 https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41 https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a regression triggered by scsi_host_busy() Commit 995412e23bb2 (“blk-mq: Replace tags->lock with SRCU for tag iterators”) introduced the following regression: Call trace: __srcu_read_lock+0x30/0x80 (P) blk_mq_tagset_busy_iter+0x44/0x300 scsi_host_busy+0x38/0x70 ufshcd_print_host_state+0x34/0x1bc ufshcd_link_startup.constprop.0+0xe4/0x2e0 ufshcd_init+0x944/0xf80 ufshcd_pltfrm_init+0x504/0x820 ufs_rockchip_probe+0x2c/0x88 platform_probe+0x5c/0xa4 really_probe+0xc0/0x38c __driver_probe_device+0x7c/0x150 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1e0 bus_for_each_dev+0x7c/0xdc driver_attach+0x24/0x30 bus_add_driver+0x110/0x230 driver_register+0x68/0x130 __platform_driver_register+0x20/0x2c ufs_rockchip_pltform_init+0x1c/0x28 do_one_initcall+0x60/0x1e0 kernel_init_freeable+0x248/0x2c4 kernel_init+0x20/0x140 ret_from_fork+0x10/0x20 Fix this regression by making scsi_host_busy() check whether the SCSI host tag set has already been initialized. tag_set->ops is set by scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This fix is based on the assumption that scsi_host_busy() and scsi_mq_setup_tags() calls are serialized. This is the case in the UFS driver. | 2025-12-16 | not yet calculated | CVE-2025-68224 | https://git.kernel.org/stable/c/143257917b836bd5fc434063030fda199e249624 https://git.kernel.org/stable/c/804b5b8e3545445450387ae6891262c421c49304 https://git.kernel.org/stable/c/d579f496681c5136d63cb4fbb685511227e73602 https://git.kernel.org/stable/c/5d778778b40bcdfd9f8817fea1ec6ebcbec69c0a https://git.kernel.org/stable/c/47c8b35a1f1d53aac156480cea0a0c5c82919f03 https://git.kernel.org/stable/c/e208fb1660c4a43f06b7b66c3ff22dde84ec3990 https://git.kernel.org/stable/c/a0b7780602b1b196f47e527fec82166a7e67c4d0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: lib/test_kho: check if KHO is enabled We must check whether KHO is enabled prior to issuing KHO commands, otherwise KHO internal data structures are not initialized. | 2025-12-16 | not yet calculated | CVE-2025-68225 | https://git.kernel.org/stable/c/bb3267bedd902ec457643b1326cccddafb82e901 https://git.kernel.org/stable/c/a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix incomplete backport in cfids_invalidation_worker() The previous commit bdb596ceb4b7 (“smb: client: fix potential UAF in smb2_close_cached_fid()”) was an incomplete backport and missed one kref_put() call in cfids_invalidation_worker() that should have been converted to close_cached_dir(). | 2025-12-16 | not yet calculated | CVE-2025-68226 | https://git.kernel.org/stable/c/abd29b6e17a918fdd68352ce4813e167acc8727e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap’s custom read/write interfaces. ”’ tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ”’ When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk’s sk_prot with the native sk_prot. ”’ subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ”’ Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap’s custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ————[ cut here ]———— WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept (net/mptcp/protocol.c:4005) Modules linked in: … PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d —[ end trace 0000000000000000 ]— | 2025-12-16 | not yet calculated | CVE-2025-68227 | https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4 https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8 https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00 https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/plane: Fix create_in_format_blob() return value create_in_format_blob() is either supposed to return a valid pointer or an error, but never NULL. The caller will dereference the blob when it is not an error, and thus will oops if NULL returned. Return proper error values in the failure cases. | 2025-12-16 | not yet calculated | CVE-2025-68228 | https://git.kernel.org/stable/c/860f93f4fce1e733b8a2474f6bfa153243d775f3 https://git.kernel.org/stable/c/cead55e24cf9e092890cf51c0548eccd7569defa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] … Call Trace: <TASK> configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 … | 2025-12-16 | not yet calculated | CVE-2025-68229 | https://git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268 https://git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40b https://git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbf https://git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fe https://git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663 https://git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6 https://git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361b https://git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough On PF passthrough environment, after hibernate and then resume, coralgemm will cause gpu page fault. Mode1 reset happens during hibernate, but partition mode is not restored on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right after resume. When CP access the MQD BO, wrong stride size is used, this will cause out of bound access on the MQD BO, resulting page fault. The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called when resume from a hibernation. KFD resume is called separately during a reset recovery or resume from suspend sequence. Hence it’s not required to be called as part of partition switch. (cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a) | 2025-12-16 | not yet calculated | CVE-2025-68230 | https://git.kernel.org/stable/c/a45d6359eefb41e08d374a3260b10bff5626823b https://git.kernel.org/stable/c/eef72d856f978955e633c270abb1f7ec7b61c6d2 https://git.kernel.org/stable/c/eb6e7f520d6efa4d4ebf1671455abe4a681f7a05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) – not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it’s straightforward to fix this with a loop that’s mapping, poisoning or checking and unmapping individual pages. | 2025-12-16 | not yet calculated | CVE-2025-68231 | https://git.kernel.org/stable/c/ea4131665107e66ece90e66bcec1a2f1246cbd41 https://git.kernel.org/stable/c/19de79aaea33ee1ea058c8711b3b2b4a7e4decd4 https://git.kernel.org/stable/c/6a13b56537e7b0d97f4bb74e8038ce471f9770d7 https://git.kernel.org/stable/c/a79e49e1704367b635edad1479db23d7cf1fb71a https://git.kernel.org/stable/c/ec33b59542d96830e3c89845ff833cf7b25ef172 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: veth: more robust handing of race to avoid txq getting stuck Commit dc82a33297fc (“veth: apply qdisc backpressure on full ptr_ring to reduce TX drops”) introduced a race condition that can lead to a permanently stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra Max). The race occurs in veth_xmit(). The producer observes a full ptr_ring and stops the queue (netif_tx_stop_queue()). The subsequent conditional logic, intended to re-wake the queue if the consumer had just emptied it (if (__ptr_ring_empty(…)) netif_tx_wake_queue()), can fail. This leads to a “lost wakeup” where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and traffic halts. This failure is caused by an incorrect use of the __ptr_ring_empty() API from the producer side. As noted in kernel comments, this check is not guaranteed to be correct if a consumer is operating on another CPU. The empty test is based on ptr_ring->consumer_head, making it reliable only for the consumer. Using this check from the producer side is fundamentally racy. This patch fixes the race by adopting the more robust logic from an earlier version V4 of the patchset, which always flushed the peer: (1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier are removed. Instead, after stopping the queue, we unconditionally call __veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled, making it solely responsible for re-waking the TXQ. This handles the race where veth_poll() consumes all packets and completes NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue. The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule NAPI. (2) On the consumer side, the logic for waking the peer TXQ is moved out of veth_xdp_rcv() and placed at the end of the veth_poll() function. This placement is part of fixing the race, as the netif_tx_queue_stopped() check must occur after rx_notify_masked is potentially set to false during NAPI completion. This handles the race where veth_poll() consumes all packets, but haven’t finished (rx_notify_masked is still true). The producer veth_xmit() stops the TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning not starting NAPI. Then veth_poll() change rx_notify_masked to false and stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake it up. | 2025-12-16 | not yet calculated | CVE-2025-68232 | https://git.kernel.org/stable/c/dd419a3f2ebc18cc00bc32c57fd052d7a188b78b https://git.kernel.org/stable/c/6c8a8b9257a660e622689e23c8fbad4ba2b561b9 https://git.kernel.org/stable/c/5442a9da69789741bfda39f34ee7f69552bf0c56 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [mperttunen@nvidia.com: reword commit message] | 2025-12-16 | not yet calculated | CVE-2025-68233 | https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1 https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/cmd_net: fix wrong argument types for skb_queue_splice() If timestamp retriving needs to be retried and the local list of SKB’s already has entries, then it’s spliced back into the socket queue. However, the arguments for the splice helper are transposed, causing exactly the wrong direction of splicing into the on-stack list. Fix that up. | 2025-12-16 | not yet calculated | CVE-2025-68234 | https://git.kernel.org/stable/c/c85d2cfc5e24e6866b56c7253fd4e1c7db35986c https://git.kernel.org/stable/c/46447367a52965e9d35f112f5b26fc8ff8ec443d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated. | 2025-12-16 | not yet calculated | CVE-2025-68235 | https://git.kernel.org/stable/c/7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0 https://git.kernel.org/stable/c/6492add9a3a163d5e0390428d2636adc3e61b883 https://git.kernel.org/stable/c/2bba02a39bfb383bd1a95868d532c0917e38f9e7 https://git.kernel.org/stable/c/949f1fd2225baefbea2995afa807dba5cbdb6bd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) According to UFS specifications, the power-off sequence for a UFS device includes: – Sending an SSU command with Power_Condition=3 and await a response. – Asserting RST_N low. – Turning off REF_CLK. – Turning off VCC. – Turning off VCCQ/VCCQ2. As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up and execute its reset routine. This routine initializes hardware blocks and takes a few milliseconds to complete. During this time, the ICCQ draws a large current. This large ICCQ current may cause issues for the regulator which is supplying power to UFS, because the turn off request from UFS driver to the regulator framework will be immediately followed by low power mode(LPM) request by regulator framework. This is done by framework because UFS which is the only client is requesting for disable. So if the rail is still in the process of shutting down while ICCQ exceeds LPM current thresholds, and LPM mode is activated in hardware during this state, it may trigger an overcurrent protection (OCP) fault in the regulator. To prevent this, a 10ms delay is added after asserting HWRST. This allows the reset operation to complete while power rails remain active and in high-power mode. Currently there is no way for Host to query whether the reset is completed or not and hence this the delay is based on experiments with Qualcomm UFS controllers across multiple UFS vendors. | 2025-12-16 | not yet calculated | CVE-2025-68236 | https://git.kernel.org/stable/c/b712f234a74c1f5ce70b5d7aec3fc2499c258141 https://git.kernel.org/stable/c/5127be409c6c3815c4a7d8f6d88043e44f9b9543 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtdchar: fix integer overflow in read/write ioctls The “req.start” and “req.len” variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of “req.len” so that’s capped at U32_MAX but the “req.start” variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug. | 2025-12-16 | not yet calculated | CVE-2025-68237 | https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97 https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212 https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA device pointer `dma_dev` was being dereferenced before ensuring that `cdns_ctrl->dmac` is properly initialized. Move the assignment of `dma_dev` after successfully acquiring the DMA channel to ensure the pointer is valid before use. | 2025-12-16 | not yet calculated | CVE-2025-68238 | https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43 https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126 https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly. | 2025-12-16 | not yet calculated | CVE-2025-68239 | https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459 https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509 | 2025-12-16 | not yet calculated | CVE-2025-68240 | https://git.kernel.org/stable/c/36049e81dc7f077e0e24d5b9688a7458beacef8f https://git.kernel.org/stable/c/2f65799e2a736d556d306440c4e1e8906736117a https://git.kernel.org/stable/c/9a6b60cb147d53968753a34805211d2e5e08c027 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver’s packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path’s __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears ‘oldest->fnhe_daddr’ before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1 | 2025-12-16 | not yet calculated | CVE-2025-68241 | https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282 https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1 https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94 https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8 https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0 https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the ‘nobody’ user ID. The problem can be reproduced as follow: # echo “/media *(rw,no_root_squash,sync)” >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode’s UID against the caller’s fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking. | 2025-12-16 | not yet calculated | CVE-2025-68242 | https://git.kernel.org/stable/c/b2e4cda71ed062c87573b016d2d956a62f4258ed https://git.kernel.org/stable/c/0e9be902041c6b9f0ed4b72764187eed1067a42f https://git.kernel.org/stable/c/b623390045a81fc559decb9bfeb79319721d3dfb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client’s identity, as presented to the server. | 2025-12-16 | not yet calculated | CVE-2025-68243 | https://git.kernel.org/stable/c/b8fa37219074811c04d4ecb742c73e2b296da6a8 https://git.kernel.org/stable/c/fb2cba0854a7f315c8100a807a6959b99d72479e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] —————————————————— [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 —truncated— | 2025-12-16 | not yet calculated | CVE-2025-68244 | https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281 https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (“netpoll: fix use after free”) incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 – Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. – Now dev->npinfo->refcnt = 2; – There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: – The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. – It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` – Set dev->npinfo = NULL, without proper cleanup – No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up – The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) – This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (“netpoll: fix use after free”) and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. | 2025-12-16 | not yet calculated | CVE-2025-68245 | https://git.kernel.org/stable/c/8e6a50edad11e3e1426e4c29e7aa6201f3468ac2 https://git.kernel.org/stable/c/9b0bb18b4b9dc017c1825a2c5e763615e34a1593 https://git.kernel.org/stable/c/890472d6fbf062e6de7fdd56642cb305ab79d669 https://git.kernel.org/stable/c/4afd4ebbad52aa146838ec23082ba393e426a2bb https://git.kernel.org/stable/c/c645693180a98606c430825223d2029315d85e9d https://git.kernel.org/stable/c/c79a6d9da29219616b118a3adce9a14cd30f9bd0 https://git.kernel.org/stable/c/9a51b5ccd1c79afec1c03a4e1e6688da52597556 https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. | 2025-12-16 | not yet calculated | CVE-2025-68246 | https://git.kernel.org/stable/c/7a3c7154d5fc05956a8ad9e72ecf49e21555bfca https://git.kernel.org/stable/c/5746b2a0f5eb3d79667b3c51fe849bd62464220e https://git.kernel.org/stable/c/4587a7826be1ae0190dba10ff70b46bb0e3bc7d3 https://git.kernel.org/stable/c/35521b5a7e8a184548125f4530552101236dcda1 https://git.kernel.org/stable/c/98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ] | 2025-12-16 | not yet calculated | CVE-2025-68247 | https://git.kernel.org/stable/c/f417f44524e7fc098e787c718d838b32723c0b2d https://git.kernel.org/stable/c/e0fd4d42e27f761e9cc82801b3f183e658dc749d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vmw_balloon: indicate success when effectively deflating during migration When migrating a balloon page, we first deflate the old page to then inflate the new page. However, if inflating the new page succeeded, we effectively deflated the old page, reducing the balloon size. In that case, the migration actually worked: similar to migrating+ immediately deflating the new page. The old page will be freed back to the buddy. Right now, the core will leave the page be marked as isolated (as we returned an error). When later trying to putback that page, we will run into the WARN_ON_ONCE() in balloon_page_putback(). That handling was changed in commit 3544c4faccb8 (“mm/balloon_compaction: stop using __ClearPageMovable()”); before that change, we would have tolerated that way of handling it. To fix it, let’s just return 0 in that case, making the core effectively just clear the “isolated” flag + freeing it back to the buddy as if the migration succeeded. Note that the new page will also get freed when the core puts the last reference. Note that this also makes it all be more consistent: we will no longer unisolate the page in the balloon driver while keeping it marked as being isolated in migration core. This was found by code inspection. | 2025-12-16 | not yet calculated | CVE-2025-68248 | https://git.kernel.org/stable/c/aa05a044c5c2e147d726ac2fae1a97e0775eac11 https://git.kernel.org/stable/c/4ba5a8a7faa647ada8eae61a36517cf369f5bbe4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc’ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device. This removes the WARNING and fixes the pre-initialization error path. | 2025-12-16 | not yet calculated | CVE-2025-68249 | https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24 https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95 https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253 https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620 https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hung_task: fix warnings caused by unaligned lock pointers The blocker tracking mechanism assumes that lock pointers are at least 4-byte aligned to use their lower bits for type encoding. However, as reported by Eero Tamminen, some architectures like m68k only guarantee 2-byte alignment of 32-bit values. This breaks the assumption and causes two related WARN_ON_ONCE checks to trigger. To fix this, the runtime checks are adjusted to silently ignore any lock that is not 4-byte aligned, effectively disabling the feature in such cases and avoiding the related warnings. Thanks to Geert Uytterhoeven for bisecting! | 2025-12-16 | not yet calculated | CVE-2025-68250 | https://git.kernel.org/stable/c/c0e2dcbe54cb15ecdf9d8f4501c6720423243888 https://git.kernel.org/stable/c/c97513cddcfc235f2522617980838e500af21d01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loops due to corrupted subpage compact indexes Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage compact compress indexes. It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX` check, since it should be placed right after `z_erofs_load_{compact,full}_lcluster()`. | 2025-12-16 | not yet calculated | CVE-2025-68251 | https://git.kernel.org/stable/c/8675447a8794983f2b7e694b378112772c17635e https://git.kernel.org/stable/c/e13d315ae077bb7c3c6027cc292401bc0f4ec683 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map is found. Rule: add | 2025-12-16 | not yet calculated | CVE-2025-68252 | https://git.kernel.org/stable/c/c2fef5ebb73f3dabae6fbc571d181914ed32c483 https://git.kernel.org/stable/c/9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3 https://git.kernel.org/stable/c/e17b13387827adce7acb19ac0f07f9bcafe0ff4c https://git.kernel.org/stable/c/214e81a63a9aa0be42382ef0365ba5ed32c513ab https://git.kernel.org/stable/c/fff111bf45cbeeb659324316d68554e35d350092 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm: don’t spin in add_stack_record when gfp flags don’t allow syzbot was able to find the following path: add_stack_record_to_list mm/page_owner.c:182 [inline] inc_stack_record_count mm/page_owner.c:214 [inline] __set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554 Don’t spin in add_stack_record_to_list() when it is called from *_nolock() context. | 2025-12-16 | not yet calculated | CVE-2025-68253 | https://git.kernel.org/stable/c/504174133453e3af73e626e328603d7eb5986f34 https://git.kernel.org/stable/c/c83aab85e18103a6dc066b4939e2c92a02bb1b05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them. This prevents OOB reads caused by malformed beacon frames. | 2025-12-16 | not yet calculated | CVE-2025-68254 | https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76 https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. | 2025-12-16 | not yet calculated | CVE-2025-68255 | https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5 https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875 https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames. | 2025-12-16 | not yet calculated | CVE-2025-68256 | https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501 https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: check device’s attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device’s attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device’s attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 … CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] … | 2025-12-16 | not yet calculated | CVE-2025-68257 | https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3 https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. … Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 … | 2025-12-16 | not yet calculated | CVE-2025-68258 | https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48 https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3 https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don’t skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 (“KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction”), failure to verify that the correct INTn instruction was decoded can effectively clobber guest state due to decoding the wrong instruction and thus specifying the wrong next RIP. The bug most often manifests as “Oops: int3” panics on static branch checks in Linux guests. Enabling or disabling a static branch in Linux uses the kernel’s “text poke” code patching mechanism. To modify code while other CPUs may be executing that code, Linux (temporarily) replaces the first byte of the original instruction with an int3 (opcode 0xcc), then patches in the new code stream except for the first byte, and finally replaces the int3 with the first byte of the new code stream. If a CPU hits the int3, i.e. executes the code while it’s being modified, then the guest kernel must look up the RIP to determine how to handle the #BP, e.g. by emulating the new instruction. If the RIP is incorrect, then this lookup fails and the guest kernel panics. The bug reproduces almost instantly by hacking the guest kernel to repeatedly check a static branch[1] while running a drgn script[2] on the host to constantly swap out the memory containing the guest’s TSS. [1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a [2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b | 2025-12-16 | not yet calculated | CVE-2025-68259 | https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3 https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix race condition on death_list Rust Binder contains the following unsafe operation: // SAFETY: A `NodeDeath` is never inserted into the death list // of any node other than its owner, so it is either in this // death list or in no death list. unsafe { node_inner.death_list.remove(self) }; This operation is unsafe because when touching the prev/next pointers of a list element, we have to ensure that no other thread is also touching them in parallel. If the node is present in the list that `remove` is called on, then that is fine because we have exclusive access to that list. If the node is not in any list, then it’s also ok. But if it’s present in a different list that may be accessed in parallel, then that may be a data race on the prev/next pointers. And unfortunately that is exactly what is happening here. In Node::release, we: 1. Take the lock. 2. Move all items to a local list on the stack. 3. Drop the lock. 4. Iterate the local list on the stack. Combined with threads using the unsafe remove method on the original list, this leads to memory corruption of the prev/next pointers. This leads to crashes like this one: Unable to handle kernel paging request at virtual address 000bb9841bcac70e Mem abort info: ESR = 0x0000000096000044 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [000bb9841bcac70e] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP google-cdd 538c004.gcdd: context saved(CPU:1) item – log_kevents is disabled Modules linked in: … rust_binder CPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S W OE 6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: MUSTANG PVT 1.0 based on LGA (DT) Workqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder] pstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=–) pc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder] lr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder] sp : ffffffc09b433ac0 x29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448 x26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578 x23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40 x20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00 x17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0 x14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0 x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000 x8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00 Call trace: _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc] process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1c8 ret_from_fork+0x10/0x20 Code: 94218d85 b4000155 a94026a8 d10102a0 (f9000509) —[ end trace 0000000000000000 ]— Thus, modify Node::release to pop items directly off the original list. | 2025-12-16 | not yet calculated | CVE-2025-68260 | https://git.kernel.org/stable/c/3428831264096d32f830a7fcfc7885dd263e511a https://git.kernel.org/stable/c/3e0ae02ba831da2b707905f4e602e43f8507b8cc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). Without i_data_sem protection, ext4_ind_map_blocks() may receive inode with EXT4_INODE_EXTENTS flag and triggering assert. kernel BUG at fs/ext4/indirect.c:546! EXT4-fs (loop2): unmounting filesystem. invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 Call Trace: <TASK> ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 | 2025-12-16 | not yet calculated | CVE-2025-68261 | https://git.kernel.org/stable/c/22a76b0861ae61a299c8e126c1aca8c4fda820fd https://git.kernel.org/stable/c/ba8aeff294ac7ff6dfe293663d815c54c5ee218c https://git.kernel.org/stable/c/5cad18e527ba8a9ca5463cc170073eeb5a4826f4 https://git.kernel.org/stable/c/0cd8feea8777f8d9b9a862b89c688b049a5c8475 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: zstd – fix double-free in per-CPU stream cleanup The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This leads to a stack trace similar to: BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: … CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: … Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 … Change the lifecycle management of zstd_streams to free the streams only once during module cleanup. | 2025-12-16 | not yet calculated | CVE-2025-68262 | https://git.kernel.org/stable/c/dc0f4509b0ed5d82bef78e058db0ac4df04d0695 https://git.kernel.org/stable/c/e983feaa79de1e46c9087fb9f02fedb0e5397ce6 https://git.kernel.org/stable/c/48bc9da3c97c15f1ea24934bcb3b736acd30163d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is copying data into entry->response while ipc_msg_send_request() has just freed it, leading to a slab-use-after-free reported by KASAN in handle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 … Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] Fix by: – Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table. – Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock. – Returning NULL in the error path, preserving the original API semantics. This makes all accesses to entry->response consistent with handle_response(), which already updates and fills the response buffer under ipc_msg_table_lock, and closes the race that allowed the UAF. | 2025-12-16 | not yet calculated | CVE-2025-68263 | https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications. This is similar to commit a54c4613dac1 (“ext4: fix race writing to an inline_data file while its xattrs are changing”) which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue. | 2025-12-16 | not yet calculated | CVE-2025-68264 | https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller’s admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller’s ‘put’ to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: <TASK> dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 </TASK> | 2025-12-16 | not yet calculated | CVE-2025-68265 | https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits “mode” field loaded from disk are corrupted or when the 32bits “attributes” field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the “mode” field. But I can’t find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits) are initialized with 0. Therefore, ignore the S_IFMT bits of the “mode” field loaded from disk. Also, verify that the value of the “attributes” field loaded from disk is either BFS_VREG or BFS_VDIR (because BFS supports only regular files and the root directory). | 2025-12-16 | not yet calculated | CVE-2025-68266 | https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223 https://git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6 https://git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872 |
| emiago–sipgo | SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library’s `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling – not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. Version 1.0.0-alpha-1 contains a patch for the issue. | 2025-12-16 | not yet calculated | CVE-2025-68274 | https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68275 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3q97-q4hv-gxwr |
| tinacms–tinacms | Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue. | 2025-12-18 | not yet calculated | CVE-2025-68278 | https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628 https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list “struct sdca_control” declares “values” field as integer array. But the memory allocated to it is of char array. This causes crash for sdca_parse_function API. This patch addresses the issue by allocating correct data size. | 2025-12-16 | not yet calculated | CVE-2025-68281 | https://git.kernel.org/stable/c/fcd5786b506c51cbabc2560c68e040d8dba22a0d https://git.kernel.org/stable/c/eb2d6774cc0d9d6ab8f924825695a85c14b2e0c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c (“usb: gadget: core: flush gadget workqueue after device removal”) attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget’s memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a ‘teardown’ flag and a ‘state_lock’ spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. | 2025-12-16 | not yet calculated | CVE-2025-68282 | https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467 https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65 https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9 https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] | 2025-12-16 | not yet calculated | CVE-2025-68283 | https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a https://git.kernel.org/stable/c/becc488a4d864db338ebd4e313aa3c77da24b604 https://git.kernel.org/stable/c/e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d https://git.kernel.org/stable/c/b4368b7f97014e1015445d61abd0b27c4c6e8424 https://git.kernel.org/stable/c/ec3797f043756a94ea2d0f106022e14ac4946c02 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] | 2025-12-16 | not yet calculated | CVE-2025-68284 | https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09 https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4 https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424 https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850 https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it’s possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 … Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it’s set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. | 2025-12-16 | not yet calculated | CVE-2025-68285 | https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy’s long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted 6.16.0-99-custom #8 PREEMPT(voluntary) Hardware name: AMD …….. RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu] Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30 c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02 RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668 RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000 RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760 R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000 R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu] amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu] ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu] amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu] drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400 drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30 drm_crtc_get_last_vbltimestamp+0x55/0x90 drm_crtc_next_vblank_start+0x45/0xa0 drm_atomic_helper_wait_for_fences+0x81/0x1f0 … (cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c) | 2025-12-16 | not yet calculated | CVE-2025-68286 | https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2 https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743 https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9 https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557 https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: – `dwc3_ep0_reset_state()` – `dwc3_ep0_stall_and_restart()` – `dwc3_ep0_out_start()` – `dwc3_remove_requests()` – `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: – `dwc3_stop_active_transfers()` – `dwc3_remove_requests()` – `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: – `gserial_disconnect()` – `usb_ep_disable()` – `dwc3_gadget_ep_disable()` – `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees ‘out’ requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. | 2025-12-16 | not yet calculated | CVE-2025-68287 | https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2 https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607 https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090 https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139 https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1 https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the ‘ioctl_sg01’ test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates the CSW from the sg buffer, but fails to clear it afterwards. This leaves status protocol data in srb’s transfer buffer, such as the US_BULK_CS_SIGN ‘USBS’ signature observed here. Thus, this can lead to USB protocols leaks to user space through SCSI generic (/dev/sg*) interfaces, such as the one seen here when the LTP test requested 512 KiB. Fix the leak by zeroing the CSW data in srb’s transfer buffer immediately after the validation of devices that skip data phase. Note: Differently from CVE-2018-1000204, which fixed a big leak by zero- ing pages at allocation time, this leak occurs after allocation, when USB protocol data is written to already-allocated sg pages. | 2025-12-16 | not yet calculated | CVE-2025-68288 | https://git.kernel.org/stable/c/83f0241959831586d9b6d47f6bd5d3dec8f43bf0 https://git.kernel.org/stable/c/4ba515dfff7eeca369ab85cdbb3f3b231c71720c https://git.kernel.org/stable/c/467fec3cefbeb9e3ea80f457da9a5666a71ca0d0 https://git.kernel.org/stable/c/cb1401b5bcc2feb5b038fc4b512e5968b016e05e https://git.kernel.org/stable/c/0f18eac44c5668204bf6eebb01ddb369ac56932b https://git.kernel.org/stable/c/5b815ddb3f5560fac35b16de3a2a22d5f81c5993 https://git.kernel.org/stable/c/41e99fe2005182139b1058db71f0d241f8f0078c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0xffffff895a512300 (size 240): backtrace: slab_post_alloc_hook+0xbc/0x3a4 kmem_cache_alloc+0x1b4/0x358 skb_clone+0x90/0xd8 eem_unwrap+0x1cc/0x36c unreferenced object 0xffffff8a157f4000 (size 256): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 dwc3_gadget_ep_alloc_request+0x58/0x11c usb_ep_alloc_request+0x40/0xe4 eem_unwrap+0x204/0x36c unreferenced object 0xffffff8aadbaac00 (size 128): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc __kmalloc+0x64/0x1a8 eem_unwrap+0x218/0x36c unreferenced object 0xffffff89ccef3500 (size 64): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 eem_unwrap+0x238/0x36c | 2025-12-16 | not yet calculated | CVE-2025-68289 | https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472 https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2 https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7 https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures. | 2025-12-16 | not yet calculated | CVE-2025-68290 | https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154 https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693 https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589 https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442 https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 (“tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0”). Let’s apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc90003017640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66e998f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 </TASK> | 2025-12-16 | not yet calculated | CVE-2025-68291 | https://git.kernel.org/stable/c/05f5e26d488cdc7abc2a826cf1071782d5a21203 https://git.kernel.org/stable/c/88163f85d59b4164884df900ee171720fd26686b https://git.kernel.org/stable/c/f07f4ea53e22429c84b20832fa098b5ecc0d4e35 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/memfd: fix information leak in hugetlb folios When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. Folios are not marked uptodate before adding to page cache 3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() The memfd allocation path bypasses the normal page fault handler (hugetlb_no_page) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA. Fix by matching the initialization pattern used in hugetlb_no_page(): – Zero the folio using folio_zero_user() which is optimized for huge pages – Mark it uptodate with folio_mark_uptodate() – Take hugetlb_fault_mutex before adding to page cache to prevent races The folio_zero_user() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd. | 2025-12-16 | not yet calculated | CVE-2025-68292 | https://git.kernel.org/stable/c/50b4c1c28733a536d637d2f0401d60bcfef60ef2 https://git.kernel.org/stable/c/b09d7c4dc642849d9a96753233c6d00364017fd6 https://git.kernel.org/stable/c/de8798965fd0d9a6c47fc2ac57767ec32de12b49 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f (“mm: thp: split huge page to any lower order pages”) introduced an early check on the folio’s order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. | 2025-12-16 | not yet calculated | CVE-2025-68293 | https://git.kernel.org/stable/c/592db83615a9f0164472ec789c2ed34ad35f732f https://git.kernel.org/stable/c/d1b83fbacd4397a1d2f8c6b13427a8636ae2b307 https://git.kernel.org/stable/c/cff47b9e39a6abf03dde5f4f156f841b0c54bba0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: ensure vectored buffer node import is tied to notification When support for vectored registered buffers was added, the import itself is using ‘req’ rather than the notification io_kiocb, sr->notif. For non-vectored imports, sr->notif is correctly used. This is important as the lifetime of the two may be different. Use the correct io_kiocb for the vectored buffer import. | 2025-12-16 | not yet calculated | CVE-2025-68294 | https://git.kernel.org/stable/c/14459281e027f23b70885c1cc1032a71c0efd8d7 https://git.kernel.org/stable/c/f6041803a831266a2a5a5b5af66f7de0845bcbf3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,… su – testuser cifscreds add -d ZELDA -u testuser … ls /mnt/1 … umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm “ls”, pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA… backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2025-12-16 | not yet calculated | CVE-2025-68295 | https://git.kernel.org/stable/c/ff8f9bd1c46ee02d5558293915d42e82646d5ee9 https://git.kernel.org/stable/c/d146e96fef876492979658dce644305de35878d4 https://git.kernel.org/stable/c/3dd546e867e94c2f954bca45a961b6104ba708b6 https://git.kernel.org/stable/c/f62ffdfb431bdfa4b6d24233b7fd830eca0b801e https://git.kernel.org/stable/c/f15288c137d960836277d0e3ecc62de68e52f00f https://git.kernel.org/stable/c/a67e91d5f446e455dd9201cdd6e865f7078d251d https://git.kernel.org/stable/c/3184b6a5a24ec9ee74087b2a550476f386df7dc2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo’s call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing. | 2025-12-16 | not yet calculated | CVE-2025-68296 | https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash in process_v2_sparse_read() for encrypted directories The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secure mode. It can be reproduced by the steps: sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure (1) mkdir /mnt/cephfs/fscrypt-test-3 (2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3 (3) fscrypt encrypt –source=raw_key –key=./my.key /mnt/cephfs/fscrypt-test-3 (4) fscrypt lock /mnt/cephfs/fscrypt-test-3 (5) fscrypt unlock –key=my.key /mnt/cephfs/fscrypt-test-3 (6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar (7) Issue has been triggered [ 408.072247] ————[ cut here ]———— [ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865 ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore [ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+ [ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 408.072310] Workqueue: ceph-msgr ceph_con_workfn [ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8 8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06 fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85 [ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246 [ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38 [ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8 [ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8 [ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000 [ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.072336] PKRU: 55555554 [ 408.072337] Call Trace: [ 408.072338] <TASK> [ 408.072340] ? sched_clock_noinstr+0x9/0x10 [ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [ 408.072347] ? _raw_spin_unlock+0xe/0x40 [ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830 [ 408.072353] ? __kasan_check_write+0x14/0x30 [ 408.072357] ? mutex_lock+0x84/0xe0 [ 408.072359] ? __pfx_mutex_lock+0x10/0x10 [ 408.072361] ceph_con_workfn+0x27e/0x10e0 [ 408.072364] ? metric_delayed_work+0x311/0x2c50 [ 408.072367] process_one_work+0x611/0xe20 [ 408.072371] ? __kasan_check_write+0x14/0x30 [ 408.072373] worker_thread+0x7e3/0x1580 [ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 408.072378] ? __pfx_worker_thread+0x10/0x10 [ 408.072381] kthread+0x381/0x7a0 [ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 408.072385] ? __pfx_kthread+0x10/0x10 [ 408.072387] ? __kasan_check_write+0x14/0x30 [ 408.072389] ? recalc_sigpending+0x160/0x220 [ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50 [ 408.072394] ? calculate_sigpending+0x78/0xb0 [ 408.072395] ? __pfx_kthread+0x10/0x10 [ 408.072397] ret_from_fork+0x2b6/0x380 [ 408.072400] ? __pfx_kthread+0x10/0x10 [ 408.072402] ret_from_fork_asm+0x1a/0x30 [ 408.072406] </TASK> [ 408.072407] —[ end trace 0000000000000000 ]— [ 408.072418] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000 —truncated— | 2025-12-16 | not yet calculated | CVE-2025-68297 | https://git.kernel.org/stable/c/5a3f3e39b18705bc578fae58abacc8ef93c15194 https://git.kernel.org/stable/c/47144748fbf12068ba4b82512098fe1ac748a2e9 https://git.kernel.org/stable/c/7d1b7de853f7d1eefd6d22949bcefc0c25186727 https://git.kernel.org/stable/c/43962db4a6f593903340c85591056a0cef812dfd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 (“Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()”), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we’ll end up passing a bad pointer to device_lock(). Prior to that commit we’d pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed). | 2025-12-16 | not yet calculated | CVE-2025-68298 | https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815 https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460 https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell’s anonymous key The allocation of a cell’s anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afs_parse_source() parsing the device name given to mount() and calling afs_lookup_cell() with the name of the cell. The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() – but it may not yet be set and so an oops can happen. This has been made more likely to happen by the fix for dynamic lookup failure. Fix this by firstly allocating a reference name and attaching it to the afs_cell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can’t just overlap the cell name by prepending it with “afs@” as the cell name already has a ‘.’ prepended for other purposes). This reference name is then passed to request_key(). Secondly, the anon key is now allocated on demand at the point a key is requested in afs_request_key() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell. Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn’t yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afs_request_key() can be called. Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn’t currently cache a negative lookup, but it’s probably worth some investigation to see if NULL can be used instead. | 2025-12-16 | not yet calculated | CVE-2025-68299 | https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/namespace: fix reference leak in grab_requested_mnt_ns lookup_mnt_ns() already takes a reference on mnt_ns. grab_requested_mnt_ns() doesn’t need to take an extra reference. | 2025-12-16 | not yet calculated | CVE-2025-68300 | https://git.kernel.org/stable/c/4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5 https://git.kernel.org/stable/c/fe256e59b8e7f126b2464ee32bd9fee131f0a883 https://git.kernel.org/stable/c/7b6dcd9bfd869eee7693e45b1817dac8c56e5f86 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn’t check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: “` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 “` Changes in v4: – Add Fixes: tag to satisfy patch validation requirements. Changes in v3: – Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. | 2025-12-16 | not yet calculated | CVE-2025-68301 | https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16 https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997 https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038 https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let’s add a ‘break’ after the error message to switch to sxgbe_rx_refill(), which is similar to the approach taken by the other drivers in this particular case, e.g. calxeda with xgmac_rx(). Found during a code review. | 2025-12-16 | not yet calculated | CVE-2025-68302 | https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648 https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21 https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86 https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5 https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3 https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer “&punit_ipcdev” when the intent was to pass the pointer itself “punit_ipcdev” (without the ampersand). This means that the: complete(&ipcdev->cmd_complete); in intel_punit_ioc() will write to a wrong memory address corrupting it. | 2025-12-16 | not yet calculated | CVE-2025-68303 | https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2 https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480 https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83 https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789 https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side The hdev lock/lookup/unlock/use pattern in the packet RX path doesn’t ensure hci_conn* is not concurrently modified/deleted. This locking appears to be leftover from before conn_hash started using RCU commit bf4c63252490b (“Bluetooth: convert conn hash to RCU”) and not clear if it had purpose since then. Currently, there are code paths that delete hci_conn* from elsewhere than the ordered hdev->workqueue where the RX work runs in. E.g. commit 5af1f84ed13a (“Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync”) introduced some of these, and there probably were a few others before it. It’s better to do the locking so that even if these run concurrently no UAF is possible. Move the lookup of hci_conn and associated socket-specific conn to protocol recv handlers, and do them within a single critical section to cover hci_conn* usage and lookup. syzkaller has reported a crash that appears to be this issue: [Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v——————————– hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF) | 2025-12-16 | not yet calculated | CVE-2025-68304 | https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93 https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1]. [1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 | 2025-12-16 | not yet calculated | CVE-2025-68305 | https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a null check before releasing resources to avoid attempting to release a null pointer. <4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT) <4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth] <4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) <4>[ 29.158162] pc : klist_remove+0x90/0x158 <4>[ 29.158174] lr : klist_remove+0x88/0x158 <4>[ 29.158180] sp : ffffffc0846b3c00 <4>[ 29.158185] pmr_save: 000000e0 <4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058 <4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0 <4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290 <4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781 <4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428 <4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018 <4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000 <4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d <4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e <4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c <4>[ 29.158285] Call trace: <4>[ 29.158290] klist_remove+0x90/0x158 <4>[ 29.158298] device_release_driver_internal+0x20c/0x268 <4>[ 29.158308] device_release_driver+0x1c/0x30 <4>[ 29.158316] usb_driver_release_interface+0x70/0x88 <4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)] <4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)] <4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)] <4>[ 29.158430] process_scheduled_works+0x258/0x4e8 <4>[ 29.158441] worker_thread+0x300/0x428 <4>[ 29.158448] kthread+0x108/0x1d0 <4>[ 29.158455] ret_from_fork+0x10/0x20 <0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297) <4>[ 29.158474] —[ end trace 0000000000000000 ]— <0>[ 29.167129] Kernel panic – not syncing: Oops: Fatal exception <2>[ 29.167144] SMP: stopping secondary CPUs <4>[ 29.167158] ————[ cut here ]———— | 2025-12-16 | not yet calculated | CVE-2025-68306 | https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3 https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: – increase netdev stats – mark the echo_sbk as free – free the driver’s context and do accounting – wake the send queue | 2025-12-16 | not yet calculated | CVE-2025-68307 | https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000 https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3 https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint’s wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary. | 2025-12-16 | not yet calculated | CVE-2025-68308 | https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345 https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48 https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it. | 2025-12-16 | not yet calculated | CVE-2025-68309 | https://git.kernel.org/stable/c/6618243bcc3f60825f761a41ed65fef9fe97eb25 https://git.kernel.org/stable/c/0a27bdb14b028fed30a10cec2f945c38cb5ca4fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc’s EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available – but the very same deadlock situation can be constructed there, too: – task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() – task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/<BDF> reporter fw_fatal while PCI error recovery is executed on the same <BDF> physical function by mlx5_core’s pci_error_handlers. On s390 this can be injected with > zpcictl –reset-fw <BDF> Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with “kernel answers: Permission denied” – and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390’s implementation of PCI error recovery is imposing restrictions that neither powerpc’s EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space. | 2025-12-16 | not yet calculated | CVE-2025-68310 | https://git.kernel.org/stable/c/d0df2503bc3c2be385ca2fd96585daad1870c7c5 https://git.kernel.org/stable/c/b63c061be622b17b495cbf78a6d5f2d4c3147f8e https://git.kernel.org/stable/c/3591d56ea9bfd3e7fbbe70f749bdeed689d415f9 https://git.kernel.org/stable/c/54f938d9f5693af8ed586a08db4af5d9da1f0f2d https://git.kernel.org/stable/c/0fd20f65df6aa430454a0deed8f43efa91c54835 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (“serial: core: Start managing serial controllers to enable runtime PM”) serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code. | 2025-12-16 | not yet calculated | CVE-2025-68311 | https://git.kernel.org/stable/c/460e0dc9af2d7790d5194c6743d79f9b77b58836 https://git.kernel.org/stable/c/77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e https://git.kernel.org/stable/c/3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the “free active object (kevent)” error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev(). | 2025-12-16 | not yet calculated | CVE-2025-68312 | https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915 https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565 https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84 https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There’s an issue with RDSEED’s 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 “at a rate inconsistent with randomness while incorrectly signaling success (CF=1)”. Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ] | 2025-12-16 | not yet calculated | CVE-2025-68313 | https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766 https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/ | 2025-12-16 | not yet calculated | CVE-2025-68314 | https://git.kernel.org/stable/c/8ee817ceafba266d9c6f3a09babd2ac7441d9a2b https://git.kernel.org/stable/c/86404a9e3013d814a772ac407573be5d3cd4ee0d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let’s add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list. | 2025-12-16 | not yet calculated | CVE-2025-68315 | https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage. | 2025-12-16 | not yet calculated | CVE-2025-68316 | https://git.kernel.org/stable/c/df96dbe1af7f6591c09f862f1226d3619b07e1b6 https://git.kernel.org/stable/c/a2b32bc1d9e359a9f90d0de6af16699facb10935 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let’s check the assumption on notification completion. | 2025-12-16 | not yet calculated | CVE-2025-68317 | https://git.kernel.org/stable/c/aaafd17d3f4be2c15539359a5b4bfa00237f687f https://git.kernel.org/stable/c/d664a3ce3a604231a0b144c152a3755d03b18b60 https://git.kernel.org/stable/c/ab3ea6eac5f45669b091309f592c4ea324003053 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating. | 2025-12-16 | not yet calculated | CVE-2025-68318 | https://git.kernel.org/stable/c/bdec5e01fc2f3114d1fb1daeb1000911d783c4ae https://git.kernel.org/stable/c/c567bc5fc68c4388c00e11fc65fd14fe86b52070 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs’ > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes’ .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: – userdatum_value_store() which calls update_userdata() to iterate over cg_children – All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code. | 2025-12-16 | not yet calculated | CVE-2025-68319 | https://git.kernel.org/stable/c/ff70aa7e8cf05745fdba7258952a8bedf33ea336 https://git.kernel.org/stable/c/d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock. | 2025-12-16 | not yet calculated | CVE-2025-68320 | https://git.kernel.org/stable/c/5a5d2f7727752b64d13263eacd9f8d08a322e662 https://git.kernel.org/stable/c/c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d https://git.kernel.org/stable/c/3ac743c60ec502163c435712d527eeced8d83348 https://git.kernel.org/stable/c/0216721ce71252f60d89af49c8dff613358058d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default. | 2025-12-16 | not yet calculated | CVE-2025-68321 | https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210 https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73 https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5 https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory. | 2025-12-16 | not yet calculated | CVE-2025-68322 | https://git.kernel.org/stable/c/9ac1f44723f26881b9fe7e69c7bc25397b879155 https://git.kernel.org/stable/c/009270208f76456c2cefcd565da263b90bb2eadb https://git.kernel.org/stable/c/fd9f30d1038ee1624baa17a6ff11effe5f7617cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: fix use-after-free caused by uec->work The delayed work uec->work is scheduled in gaokun_ucsi_probe() but never properly canceled in gaokun_ucsi_remove(). This creates use-after-free scenarios where the ucsi and gaokun_ucsi structure are freed after ucsi_destroy() completes execution, while the gaokun_ucsi_register_worker() might be either currently executing or still pending in the work queue. The already-freed gaokun_ucsi or ucsi structure may then be accessed. Furthermore, the race window is 3 seconds, which is sufficiently long to make this bug easily reproducible. The following is the trace captured by KASAN: ================================================================== BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 … Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x78/0x90 print_report+0x114/0x580 kasan_report+0xa4/0xf0 __asan_report_store8_noabort+0x20/0x2c __run_timers+0x5ec/0x630 run_timer_softirq+0xe8/0x1cc handle_softirqs+0x294/0x720 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x30/0x48 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x27c/0x364 irq_exit_rcu+0x10/0x1c el1_interrupt+0x40/0x60 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 (P) do_idle+0x334/0x458 cpu_startup_entry+0x60/0x70 rest_init+0x158/0x174 start_kernel+0x2f8/0x394 __primary_switched+0x8c/0x94 Allocated by task 72 on cpu 0 at 27.510341s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c kasan_save_alloc_info+0x40/0x54 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller_noprof+0x1c0/0x588 devm_kmalloc+0x7c/0x1c8 gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 really_probe+0x17c/0x5b8 __driver_probe_device+0x158/0x2c4 driver_probe_device+0x10c/0x264 __device_attach_driver+0x168/0x2d0 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x368 device_initial_probe+0x14/0x20 bus_probe_device+0x120/0x150 device_add+0xb3c/0x10fc __auxiliary_device_add+0x88/0x130 … Freed by task 73 on cpu 1 at 28.910627s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c __kasan_save_free_info+0x4c/0x74 __kasan_slab_free+0x60/0x8c kfree+0xd4/0x410 devres_release_all+0x140/0x1f0 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x344/0x460 device_release_driver+0x18/0x24 bus_remove_device+0x198/0x274 device_del+0x310/0xa84 … The buggy address belongs to the object at ffff00000ec28c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 200 bytes inside of freed 512-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) page_type: f5(slab) raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================ —truncated— | 2025-12-18 | not yet calculated | CVE-2025-68323 | https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003 https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489 https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: imm: Fix use-after-free bug caused by unfinished delayed work The delayed work item ‘imm_tq’ is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCSI commands. When the IMM parallel port SCSI host adapter is detached through imm_detach(), the imm_struct device instance is deallocated. However, the delayed work might still be pending or executing when imm_detach() is called, leading to use-after-free bugs when the work function imm_interrupt() accesses the already freed imm_struct memory. The race condition can occur as follows: CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck() imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(…) //USE dev-> //USE Add disable_delayed_work_sync() in imm_detach() to guarantee proper cancellation of the delayed work item before imm_struct is deallocated. | 2025-12-18 | not yet calculated | CVE-2025-68324 | https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092 https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13 https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged. | 2025-12-18 | not yet calculated | CVE-2025-68325 | https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520 https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68399 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user – including one with zero assigned permissions – can exploit SQL injection through the `familyId` parameter. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68400 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue. | 2025-12-17 | not yet calculated | CVE-2025-68401 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v |
| cvat-ai–cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available. | 2025-12-19 | not yet calculated | CVE-2025-68430 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3g7v-xjh7-xmqx https://github.com/cvat-ai/cvat/commit/2c24ef0c3f8fd94f6c71cff4eafcf11bfcaa5f91 |
| boscop-fr–orejime | Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn’t have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code. | 2025-12-19 | not yet calculated | CVE-2025-68457 | https://github.com/boscop-fr/orejime/security/advisories/GHSA-72mh-hgpm-6384 https://github.com/boscop-fr/orejime/issues/142 https://github.com/boscop-fr/orejime/pull/143 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fixes the issue. | 2025-12-18 | not yet calculated | CVE-2025-68469 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fff3-4rp7-px97 |
| TP-Link Systems Inc.–Tapo C200 V3 | A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-8065 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |